CA

Mandatory Compliance: SDD for Fiduciaries CAs & Audit Firms

Income Tax Scrutiny

Mandatory Compliance: Structured Digital Database (SDD) for Fiduciaries (CAs & Audit Firms)

As a chartered accountant or audit firm dealing with unpublished price-sensitive information such as financial data, earnings, or other confidential information of listed companies prior to public disclosure, you are classified as a fiduciary under the SEBI (Prohibition of Insider Trading) Regulations, 2015.

Based on the NSE Circular dated 28.10.2022—Annexure II—and the SEBI (Prohibition of Insider Trading) Regulations, 2015, here is a compliance summary tailored for chartered accountants and audit firms handling unpublished price-sensitive information. 

This fiduciary status imposes a mandatory obligation to maintain an internal Structured Digital Database (SDD) to ensure transparency and prevent misuse of UPSI. This is not merely a good practice—it is a regulatory requirement. CA Firm handling financials or UPSI of listed or proposed-to-be-listed companies, you are considered a fiduciary under Regulation 3(2A) of the SEBI (PIT) Regulations, 2015. This brings a direct legal obligation to maintain a Structured Digital Database (SDD) internally.

What Must Be Maintained in the SDD?

As per Regulation 9A(2)(d) and Schedule C of the PIT Regulations, your firm must internally maintain a digital database that captures:

  • Nature of UPSI received or shared

  • Names, PAN or other identifiers of persons involved (shared with or received from)

  • Date and time stamps of information access/sharing

  • Audit trails with non-tamperable entries

Important Requirements for Chartered Accountant or audit firm :

  • SDD cannot be outsourced – must be maintained internally

  • Entries must be time-stamped and tamper-proof

  • Any correction must be made via new entry referencing the old, not by altering past records

  • Access must be limited to “need-to-know” individuals and identity must be auditable

  • SDD is mandatory even for UPSI shared internally, not just with external parties

Non-Compliance = Risk

chartered accountant or audit firm Failure to maintain a valid SDD can result in penalties, regulatory scrutiny, and reputational damage—affecting both the audit firm and the client (the listed entity). CA may use external software for maintaining SDD, provided it is installed and managed internally, ensuring data control, security, and traceability.

Next Steps for Your CA Firm:

  1. Identify team members handling UPSI

  2. Implement or upgrade an internal SDD system

  3. Train staff on SDD compliance and PIT obligations

  4. Conduct periodic reviews and internal audits for adherence

Failure to maintain a compliant SDD can expose your firm and your clients to significant regulatory scrutiny and penalties under SEBI norms.

A chartered accountant or audit firm protects and safeguards his clients. Ensure CA SDD is active, secure, and compliant. If CA  firm is not yet maintaining a structured digital database, we urge CA to implement one immediately to remain compliant and avoid regulatory consequences.

In summary, the SDD must accurately record the nature of UPSI received or shared, Names, PANs or other identifiers of individuals with whom the information is shared or Date and time stamps, including audit trails of such sharing

FAQs on Structured Digital Database (SDD)

Q 1. Who is required to maintain the SDD?

Ans :  As per Regulation 3(5) of the SEBI (PIT) Regulations, 2015: “The Board of Directors or head(s) of the organisation of every person required to handle Unpublished Price Sensitive Information (UPSI)” is mandated to maintain an SDD. This includes:

  • Listed or proposed-to-be-listed companies (as per Regulation 2(1)(hb) of PIT Regulations)

  • Intermediaries/fiduciaries, as referred under the Explanation to Regulation 3(2A), who handle UPSI in the course of their business

Q 2. Are intermediaries/fiduciaries required to maintain SDD?

Ans :  Yes. Intermediaries/fiduciaries must maintain a separate internal SDD for

  • UPSI shared with them

  • UPSI they have shared with others

This applies even for unlisted companies whose securities are proposed to be listed. (Ref: Regulation 9A(2)(d) & Schedule C of SEBI PIT Regulations)

Q 3. What is the trigger point for inserting a record into the SDD?

Ans :  The sharing of UPSI, internally or externally, triggers the requirement to record the event in the SDD.

Q 4. What qualifies as UPSI?

Ans :  UPSI is defined under Regulation 2(1)(n). It includes information that:

  • Is not publicly available

  • Would materially affect the price of securities if made public

Examples include financial results, mergers, acquisitions, and key management changes.

Q 5. When is UPSI considered to be “germinated”?

Ans : UPSI is germinated when:

  • It starts taking shape as price-sensitive information

  • The probability of the event happening is greater than not happening, and

  • The event is likely to materially affect the securities’ price upon disclosure

Q 6. Should internal sharing of UPSI also be recorded in the SDD?

Ans :  Yes. Whether UPSI is shared within or outside the organization, it must be recorded in the SDD. Example: While finalizing financial results, sharing UPSI with accounts personnel or auditors must be recorded with their names and identifiers (e.g., PAN). Audit firms that receive UPSI must also maintain their own SDD.

Q 7. What are the technical requirements for maintaining the SDD?

Ans :

  • The database must not be outsourced

  • It must have adequate internal controls, time stamping, and audit trails

  • Once an entry is made, it cannot be altered

  • Any corrections must be made via new entries referencing the original, with reasons

Q 8. Who can access and insert UPSI into the SDD?

Ans :

  • The responsibility lies with the Board of Directors or the Head of the Organization

  • Access must be granted on a ‘need-to-know’ basis

  • Identity of every user must be established and audit-trailed

Q 9. For group companies, should each maintain its own SDD?

Ans :  Yes. Each company within a group must maintain a separate, independent SDD, as per Regulation 3(5).

Q 10. What if PAN of the person is not available?

Ans :  Capture the PAN wherever available. If not, use any other valid identifier (like Aadhaar, Passport No., etc.) to record the identity.

Q 11. Can external software be used to maintain the SDD?

Ans :  Yes. You may purchase or license external software, but the SDD must be maintained internally (within the control of the fiduciary/entity).

Q 12. Are companies under CIRP required to maintain SDD?

Ans : Yes. Resolution Professionals must ensure compliance with all applicable laws, including SEBI PIT Regulations, as per IBBI Circular No. IP/002/2018 dated January 03, 2018.

Leave a Reply

Your email address will not be published. Required fields are marked *

Call Us Enquire Now