Blog
SEBI PIT Compliance: Why Partial or Piecemeal or Manual Processes Are Dangerous
Jun 02,2026
Your compliance team sent the trading window circular on time. Pre-clearance requests were processed. The UPSI log exists somewhere in a shared folder. By most counts, that looks like SEBI PIT compliance. But here is the question worth pausing on: if SEBI conducted an inspection tomorrow, how much of it could you actually prove?
According to a KPMG report on insider threats (January 2025), penalties for violations under Section 15G of the SEBI Act start at Rs 10 lakh and can extend to Rs 25 crore, or three times the profits from the violation, whichever is higher. In many enforcement actions, the trigger was not deliberate insider trading. It was a missed SDD entry, an incomplete insider list, or a trading window notice that did not reach every Designated Person.
Partial SEBI PIT compliance is not a lighter version of compliance. It is a gap that regulators are increasingly equipped to find.
What SEBI PIT Compliance Actually Requires
The SEBI (Prohibition of Insider Trading) Regulations, 2015, and the March 2025 amendment together create a compliance obligation that goes far beyond a periodic checklist. The full framework covers UPSI identification and classification, Structured Digital Database (SDD) maintenance, Designated Person (DP) identification, Code of Conduct obligations for Designated Persons, pre-clearance workflows, trading window controls, and timely disclosure management.
The 2025 amendment alone expanded the definition of UPSI to 16 categories of events, now including KMP changes, forensic audit initiation, fund-raising decisions, and guarantee issuances, among others.
Most manual compliance processes address two or three of these areas at best. The remaining obligations are often managed through email threads or spreadsheets. On a routine day, that may feel sufficient. Under a SEBI inspection, it is not.
The Problem with Excel and Manual Tracking
Spreadsheet-based compliance is one of the most common and least discussed risks in listed company governance. On the surface, it appears functional. Under scrutiny, it fails on the very standards SEBI inspections are built to test.
Three specific failures stand out. First, entries in a spreadsheet can be edited or deleted at any point with no log of what changed, by whom, and when. This directly violates the non-tamperability requirement under Regulation 3(5) of the PIT Regulations. Second, spreadsheets carry no reliable time-stamp that establishes when a UPSI entry was made relative to when the underlying event occurred, and in a regulatory review, that sequence matters considerably. Third, when the same compliance file exists across multiple email chains and shared drives, there is no single, defensible version of the record.
SEBI inspections specifically examine audit trails. A spreadsheet cannot generate one. What cannot be traced is treated as though it never happened.
Delayed UPSI Classification: A Risk That Compounds
One of the more underestimated failures in UPSI management is the gap between when a UPSI event occurs and when it is formally classified and recorded in the SDD. A merger discussion that begins informally before documentation. A KMP resignation is communicated verbally before it is processed. A forensic audit initiated before internal disclosure is made. These are not rare scenarios.
The March 2025 amendment now requires that UPSI received from external sources be entered into the SDD within two calendar days of receipt. Manual processes have no mechanism to enforce or track this deadline.
The compounding effect is significant. A delayed UPSI classification leads to a delayed insider list update, which then leads to missed or incorrect trading window controls. Each gap creates the next one. SEBI does not evaluate compliance on outcomes alone. It examines the timeline of events against the timeline of compliance actions, and any misalignment is a liability.
Insider Identification Errors and Trading Window Mistakes
Two compliance failures appear repeatedly across listed companies, often together.
The first relates to Designated Person identification. Insider lists may exclude consultants, legal advisors, auditors, and in certain cases their immediate relatives, all of whom can fall within SEBI's definition of Designated Persons or Connected Persons depending on their access to UPSI. Where manual lists are in use, these inclusions are not always captured in real time, and updates when roles or engagements change are not guaranteed.
The second is trading window management errors. These include sending closure notices to an incomplete list of Designated Persons, failing to distinguish between UPSI that originates internally, which requires trading window closure, and UPSI that originates externally, which as per the 2025 amendment may not require closure, and having no mechanism to verify whether a pre-cleared trade was executed within the approved window, quantity, and price range.
These procedural gaps reflect exactly the kind of compliance failures SEBI has been actively flagging through warning letters and enforcement actions across listed companies.
What Regulatory and Reputational Risk Actually Looks Like
The financial stakes are well established. Penalties under Section 15G range from Rs 10 lakh to Rs 25 crore, or three times the profits from the violation, whichever is higher. Imprisonment of up to 10 years applies in serious cases.
But in practice, the monetary penalty is rarely the most damaging consequence. A public enforcement order, a warning letter addressed to a named compliance officer, or an investigation that enters the public record carries far greater long-term cost, particularly for organisations with strong market reputations.
SEBI has steadily moved toward technology-driven surveillance and preventive regulation. Procedural non-compliance, documentation gaps, and delayed disclosures are themselves triggers. The distance between a compliance failure and a formal inquiry is narrowing every year.
Conclusion
SEBI PIT compliance is not a set of independent tasks to be reviewed quarterly. It is an integrated, ongoing process where UPSI classification, SDD maintenance, insider tracking, trading window controls, pre-clearance, and Code of Conduct management all depend on each other being done accurately and on time.
Manual and piecemeal approaches may appear to function on a routine day. Under a SEBI inspection or enforcement inquiry, what matters is documentation that is tamperproof, time-stamped, complete, and audit-ready. These are standards that disconnected spreadsheets and email-based processes cannot consistently meet.
For listed companies looking to move from partial compliance to verifiable, defensible compliance, Axar Digital's InsiderLens is purpose-built around the full scope of SEBI PIT requirements.
FAQs
What happens if my company does not maintain a Structured Digital Database?
Failure to maintain a non-tamperproof SDD is a direct violation of Regulation 3(5) of the SEBI PIT Regulations. SEBI routinely examines SDD records during inspections, and the absence of a proper database can result in penalties, enforcement actions, and personal liability for the Compliance Officer.
Does the 2025 UPSI amendment mean my compliance team now has more work to do?
Yes, considerably more. With UPSI now covering 16 categories of events, your team must classify a broader range of corporate developments as UPSI, update the SDD within two calendar days for externally received information, and revisit the Code of Conduct and Designated Person lists accordingly.
Can a listed company manage SEBI PIT compliance through spreadsheets?
A company can attempt to, but spreadsheets cannot meet the non-tamperability requirement under the PIT Regulations, do not generate audit trails, and carry no reliable time-stamps. During a SEBI inspection, spreadsheet-based compliance records are unlikely to meet the regulator's evidentiary standards.
Your compliance team sent the trading window circular on time. Pre-clearance requests were processed. The UPSI log exists somewhere in a shared folder. By most counts, that looks like SEBI PIT compliance. But here is the question worth pausing on: if SEBI conducted an inspection tomorrow, how much of it could you actually prove?
According to a KPMG report on insider threats (January 2025), penalties for violations under Section 15G of the SEBI Act start at Rs 10 lakh and can extend to Rs 25 crore, or three times the profits from the violation, whichever is higher. In many enforcement actions, the trigger was not deliberate insider trading. It was a missed SDD entry, an incomplete insider list, or a trading window notice that did not reach every Designated Person.
Partial SEBI PIT compliance is not a lighter version of compliance. It is a gap that regulators are increasingly equipped to find.
What SEBI PIT Compliance Actually Requires
The SEBI (Prohibition of Insider Trading) Regulations, 2015, and the March 2025 amendment together create a compliance obligation that goes far beyond a periodic checklist. The full framework covers UPSI identification and classification, Structured Digital Database (SDD) maintenance, Designated Person (DP) identification, Code of Conduct obligations for Designated Persons, pre-clearance workflows, trading window controls, and timely disclosure management.
The 2025 amendment alone expanded the definition of UPSI to 16 categories of events, now including KMP changes, forensic audit initiation, fund-raising decisions, and guarantee issuances, among others.
Most manual compliance processes address two or three of these areas at best. The remaining obligations are often managed through email threads or spreadsheets. On a routine day, that may feel sufficient. Under a SEBI inspection, it is not.
The Problem with Excel and Manual Tracking
Spreadsheet-based compliance is one of the most common and least discussed risks in listed company governance. On the surface, it appears functional. Under scrutiny, it fails on the very standards SEBI inspections are built to test.
Three specific failures stand out. First, entries in a spreadsheet can be edited or deleted at any point with no log of what changed, by whom, and when. This directly violates the non-tamperability requirement under Regulation 3(5) of the PIT Regulations. Second, spreadsheets carry no reliable time-stamp that establishes when a UPSI entry was made relative to when the underlying event occurred, and in a regulatory review, that sequence matters considerably. Third, when the same compliance file exists across multiple email chains and shared drives, there is no single, defensible version of the record.
SEBI inspections specifically examine audit trails. A spreadsheet cannot generate one. What cannot be traced is treated as though it never happened.
Delayed UPSI Classification: A Risk That Compounds
One of the more underestimated failures in UPSI management is the gap between when a UPSI event occurs and when it is formally classified and recorded in the SDD. A merger discussion that begins informally before documentation. A KMP resignation is communicated verbally before it is processed. A forensic audit initiated before internal disclosure is made. These are not rare scenarios.
The March 2025 amendment now requires that UPSI received from external sources be entered into the SDD within two calendar days of receipt. Manual processes have no mechanism to enforce or track this deadline.
The compounding effect is significant. A delayed UPSI classification leads to a delayed insider list update, which then leads to missed or incorrect trading window controls. Each gap creates the next one. SEBI does not evaluate compliance on outcomes alone. It examines the timeline of events against the timeline of compliance actions, and any misalignment is a liability.
Insider Identification Errors and Trading Window Mistakes
Two compliance failures appear repeatedly across listed companies, often together.
The first relates to Designated Person identification. Insider lists may exclude consultants, legal advisors, auditors, and in certain cases their immediate relatives, all of whom can fall within SEBI's definition of Designated Persons or Connected Persons depending on their access to UPSI. Where manual lists are in use, these inclusions are not always captured in real time, and updates when roles or engagements change are not guaranteed.
The second is trading window management errors. These include sending closure notices to an incomplete list of Designated Persons, failing to distinguish between UPSI that originates internally, which requires trading window closure, and UPSI that originates externally, which as per the 2025 amendment may not require closure, and having no mechanism to verify whether a pre-cleared trade was executed within the approved window, quantity, and price range.
These procedural gaps reflect exactly the kind of compliance failures SEBI has been actively flagging through warning letters and enforcement actions across listed companies.
What Regulatory and Reputational Risk Actually Looks Like
The financial stakes are well established. Penalties under Section 15G range from Rs 10 lakh to Rs 25 crore, or three times the profits from the violation, whichever is higher. Imprisonment of up to 10 years applies in serious cases.
But in practice, the monetary penalty is rarely the most damaging consequence. A public enforcement order, a warning letter addressed to a named compliance officer, or an investigation that enters the public record carries far greater long-term cost, particularly for organisations with strong market reputations.
SEBI has steadily moved toward technology-driven surveillance and preventive regulation. Procedural non-compliance, documentation gaps, and delayed disclosures are themselves triggers. The distance between a compliance failure and a formal inquiry is narrowing every year.
Conclusion
SEBI PIT compliance is not a set of independent tasks to be reviewed quarterly. It is an integrated, ongoing process where UPSI classification, SDD maintenance, insider tracking, trading window controls, pre-clearance, and Code of Conduct management all depend on each other being done accurately and on time.
Manual and piecemeal approaches may appear to function on a routine day. Under a SEBI inspection or enforcement inquiry, what matters is documentation that is tamperproof, time-stamped, complete, and audit-ready. These are standards that disconnected spreadsheets and email-based processes cannot consistently meet.
For listed companies looking to move from partial compliance to verifiable, defensible compliance, Axar Digital's InsiderLens is purpose-built around the full scope of SEBI PIT requirements.
FAQs
What happens if my company does not maintain a Structured Digital Database?
Failure to maintain a non-tamperproof SDD is a direct violation of Regulation 3(5) of the SEBI PIT Regulations. SEBI routinely examines SDD records during inspections, and the absence of a proper database can result in penalties, enforcement actions, and personal liability for the Compliance Officer.
Does the 2025 UPSI amendment mean my compliance team now has more work to do?
Yes, considerably more. With UPSI now covering 16 categories of events, your team must classify a broader range of corporate developments as UPSI, update the SDD within two calendar days for externally received information, and revisit the Code of Conduct and Designated Person lists accordingly.
Can a listed company manage SEBI PIT compliance through spreadsheets?
A company can attempt to, but spreadsheets cannot meet the non-tamperability requirement under the PIT Regulations, do not generate audit trails, and carry no reliable time-stamps. During a SEBI inspection, spreadsheet-based compliance records are unlikely to meet the regulator's evidentiary standards.
Your compliance team sent the trading window circular on time. Pre-clearance requests were processed. The UPSI log exists somewhere in a shared folder. By most counts, that looks like SEBI PIT compliance. But here is the question worth pausing on: if SEBI conducted an inspection tomorrow, how much of it could you actually prove?
Devdutta Modak
