Share

SEBI's FAQ on Structured Digital Database: What Compliance Officers Must Get Right

Source: SEBI's Comprehensive FAQs on SEBI (PIT) Regulations, 2015, dated December 31, 2024 — Section B, "Structured Digital Database" (Q.5–Q.12). This FAQ document formally rescinds all earlier PIT guidance notes and FAQs, including the original August 24, 2015 Guidance Note. It is the current authoritative clarification from SEBI, though SEBI itself notes it is guidance, not a binding legal interpretation.

Why this section matters

Regulation 3(5) of the PIT Regulations requires every listed company to maintain a Structured Digital Database (SDD) — a log of every person with whom Unpublished Price Sensitive Information (UPSI) is shared, and the nature of that information. It sounds like a simple record-keeping requirement. In practice, it is one of the most frequently misapplied provisions, because the regulation text is silent on questions that come up immediately once you try to implement it: Can we use a cloud vendor? Does a law firm we've engaged need its own database? How long do we keep the data? SEBI's FAQ answers exactly these operational questions, and reading between the lines tells you a lot about what SEBI is actually worried about.

Q5 & Q6 — The SDD obligation extends beyond the listed company itself

What SEBI clarifies: The SDD requirement under Regulation 3(5) applies not just to the listed company, but to every intermediary and fiduciary (law firms, merchant bankers, auditors, consultants, etc.) who handles the company's UPSI in the course of business.

What SEBI intends: This is SEBI closing an obvious gap. If the obligation stopped at the listed company's own boundary, UPSI shared with an external advisor would effectively fall into a blind spot the moment it left the company's systems. SEBI's answer makes clear that each entity in the chain maintains its own SDD — the listed company logs who it shared UPSI with (including the advisor firm and the specific individual there), and the advisor firm separately logs its own internal sharing under Regulation 9A(2)(d) and Schedule C. The worked example in the FAQ (company X sharing with law firm Y, individual A sharing with individual B) is worth keeping as a template: your SDD entry should always capture the entity, the specific individual, and their PAN (or other identifier if PAN is unavailable) at both ends of every UPSI transmission.

Practical takeaway for compliance officers: When you engage external advisors on anything UPSI-adjacent (fundraising, M&A due diligence, results before disclosure), your engagement process should include a contractual reminder that the advisor is independently obligated to maintain its own SDD. Don't assume your own logging discharges the whole chain's obligation.

Q7 & Q8 — Cloud hosting and third-party software: "internal" does not mean "on our own servers," but it does mean "our data, our control"

What SEBI clarifies: This is one of the more consequential clarifications in the document, precisely because SEBI reversed its own earlier position. Prior to March 31, 2023, SEBI's FAQ stated flatly that any database/server provided by a third-party vendor — in India or abroad — would be considered "outsourced" and therefore non-compliant. The revised answer takes a more nuanced, risk-based view: hosting on Amazon, Google Cloud, or similar is not automatically outsourcing, provided the Board and Compliance Officer retain accountability for confidentiality, integrity, and security of the data, and ensure compliance with all applicable SEBI/exchange requirements.

However, Q8 draws a sharper line: if a third-party vendor's software operates on a login basis where the vendor's own server holds the data such that the vendor could access it, that is treated as outsourcing and is non-compliant — regardless of who is keying in the entries.

What SEBI intends: The dividing line SEBI is drawing is not "cloud vs. on-premise" but who can access the underlying data. A cloud instance where your company controls access, encryption, and the vendor has no visibility into the content is fine. A SaaS tool where the vendor's infrastructure means vendor personnel could access your UPSI records is not. This reflects SEBI moving from a rigid, form-based test (2019/2021 era) to a substance-based test (2023 onward) — a pattern worth watching, because it signals SEBI is generally willing to accommodate modern infrastructure as long as accountability and access control stay demonstrably with the listed company.

Practical takeaway: If you're evaluating an SDD software vendor, the diligence question to ask is not "is this cloud-based" but "can the vendor's personnel access our UPSI logs, and can we prove they can't." Get this in writing from the vendor and keep it in your compliance file — it is your evidence of "adequate internal controls and checks" under Regulation 3(5) if ever questioned.

Q9 — No, you don't have to publish your UPSI list

A short but useful clarification: there is no requirement to disseminate the company's in-house UPSI list publicly. This answers a fairly common point of confusion — the SDD is an internal control and audit trail, not a disclosure obligation. Don't over-comply by publishing something SEBI never asked for.

Q10 — Internal sharing counts too

SEBI is explicit: the SDD obligation applies even when UPSI is shared purely within the company (e.g., between departments), not just when shared externally. The intent here is straightforward — most insider trading risk actually originates from internal access, not external sharing, so an SDD that only tracked outbound sharing would miss the bulk of the real risk surface.

Q11 — Nominee directors sharing with their parent bank/FI

What SEBI clarifies: Nominee directors of banks/FIs who are designated persons or insiders, and who share UPSI with their parent bank/FI for a legitimate purpose, are still "communicating" UPSI within the meaning of the regulations — and that sharing must be logged in the company's SDD.

What SEBI intends: Note the subtle but important change between the pre-2023 and post-2023 wording (both versions are reproduced in the FAQ, which is a good habit to check whenever you rely on an FAQ answer — verify you're reading the current version, not a superseded one). The current answer removes an implicit qualifier and applies more broadly to nominee directors "of a bank or financial institution." The takeaway for compliance officers is that "legitimate purpose" sharing is not exempt from logging — legitimate purpose affects whether the sharing is permissible under Regulation 3(1)'s proviso, not whether it needs to be recorded. Permissible and unrecorded are two different things; SEBI wants both the permissibility test and the audit trail satisfied.

Q12 — Retention: eight years, longer if SEBI is investigating

Regulation 3(6) sets an 8-year minimum retention period after completion of the relevant transaction, extending indefinitely if SEBI opens an investigation or enforcement proceeding touching that data. This is a hard compliance-calendar item: your data retention/deletion policies for the SDD need an explicit carve-out for this 8-year floor (most general IT data-retention policies default to much shorter windows, e.g. 3–5 years, and will conflict with this requirement unless specifically flagged).

Bottom line for your compliance checklist

  • Map every external party (advisors, bankers, auditors) who receives UPSI and confirm they understand they run their own SDD.
  • For any cloud/SaaS SDD tool, get written confirmation of who can access the underlying data — that's the real compliance test post-2023, not where the servers sit.
  • Don't publish your UPSI list; it's an internal control, not a disclosure.
  • Log internal-only UPSI sharing with the same rigor as external sharing.
  • Confirm your data retention policy carves out an 8-year (or longer, if under investigation) floor specifically for SDD records.

This article interprets SEBI's published FAQ for general informational purposes and reflects our reading of the source document as of the date of publication. It is not legal advice and should not be treated as a substitute for the actual text of the PIT Regulations, applicable circulars, or advice from a qualified professional. Readers should independently verify current requirements against SEBI's website before acting.

Subscribe to SEBI PIT Insights

Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe