SEBI’s 16-Item UPSI List & Structured Digital Database: The ₹25 Crore Insider Trading Trap Every IPO-Bound Company Must Fix in 2026
One year ago, on 10 June 2025, the rule book on insider trading quietly got heavier. SEBI’s PIT amendment 2025 stretched the UPSI list to roughly sixteen events, pulled forensic audits and fund-raising decisions into the net, and tightened how every listed and IPO-bound company must run its structured digital database. The number that should stop a founder mid-scroll: a single insider trading violation under Section 15G of the SEBI Act can cost up to ₹25 crore or three times the profit made, whichever is higher, on top of a possible ten-year jail term. A defective or missing SDD is the paper trail SEBI looks for first.
Quick Summary
What changed: SEBI PIT (Amendment) Regulations, 2025 expanded the UPSI list to ~16 events
Effective date: 10 June 2025 (notified 11 March 2025)
Who must comply: Listed companies, intermediaries, and unlisted companies preparing for an IPO
Penalty for insider trading: ₹10 lakh up to ₹25 crore or 3x profit (Section 15G), plus up to 10 years imprisonment (Section 24)
Key action: Refresh your UPSI definition, rebuild the SDD to capture all 16 events, retain records 8 years
Why the SEBI PIT amendment 2025 UPSI list matters for IPO-bound companies
If you are chasing a listing window, governance is no longer a box at the end of the process. It is the gate at the start. Merchant bankers, legal counsel and the audit committee now read your insider trading framework as a proxy for how seriously the board takes its fiduciary duty. A structured digital database that starts the week before the DRHP is filed tells a due diligence team exactly the wrong story.
The 2025 amendment matters because it widened the definition of what counts as price sensitive. Earlier, the illustrative list ran to about eight items and many corporate events sat in a grey zone. The board could argue that a forensic audit or a third-party guarantee was not “price sensitive” until the outcome was known. That argument is now far harder. Once an event is on the list, every internal email about it is a UPSI communication that must be logged.
For a startup moving from Series C towards a public issue, this lands at the worst possible time. The same 12 to 18 month runway in which you are cleaning the cap table, closing the secretarial audit findings and fixing board composition is the window in which your SDD has to already be live and populated. There is no retro-fitting a database that is supposed to be non-tamperable and time-stamped.
The expanded UPSI list: 16 events you must now track
The SEBI (Prohibition of Insider Trading) (Amendment) Regulations, 2025 rewrote the illustrative list of unpublished price sensitive information. According to MMJC’s analysis of the amendment, the count of events rose to sixteen. The table below sets out the additions that catch most companies off guard.
| New / expanded UPSI trigger | Why it bites |
|---|---|
| Decision on a proposed fund raise | A board discussion on a round or QIP is UPSI from the moment it starts, not when it closes. |
| Agreements affecting management or control | Shareholder agreements, voting arrangements and control transfers now sit squarely in the net. |
| Forensic audit initiation and final report | Both the start of a forensic audit and receipt of the report are separately price sensitive. |
| Guarantees / indemnity / surety for a third party | Captured when given outside the normal course of business. |
| Key licences or regulatory approvals | Grant, withdrawal, surrender, cancellation or suspension all qualify. |
| Admission of a winding-up petition or CIRP application | Tribunal admission of an insolvency application against the company is UPSI. |
| Resignation of statutory or secretarial auditors | Auditor exits are now explicitly listed, not left to interpretation. |
| Change in KMP (not by superannuation or term end) | An unplanned exit of a key managerial person triggers the database entry. |
| Award or termination of material orders / contracts | Supply, service and procurement contracts outside the normal course are covered. |
These sit alongside the long-standing entries: financial results, dividends, change in capital structure, mergers and acquisitions, delisting, disposals and expansion. The practical takeaway for a company secretary is that the agenda of almost every board and committee meeting now contains at least one UPSI item. The default assumption has flipped from “is this price sensitive?” to “log it unless you can justify why not”.
What the structured digital database actually demands
The structured digital database, set out in Regulation 3(5) and 3(6) of the SEBI PIT Regulations, is the spine of the whole framework. It is the record SEBI pulls first in any investigation because it shows who knew what, and when. According to TaxGuru’s primer on the SDD, the database must capture the nature of the UPSI and the names, including PAN or other identifier, of every person who shared it and every person who received it.
Three requirements trip companies up most often.
Non-tamperable and time-stamped. The SDD cannot be a shared spreadsheet that anyone can edit. It must have internal controls, time stamps and an audit trail so that no entry can be altered or deleted without a footprint. A database built on an editable file fails this test on day one.
Maintained internally. The database must sit with the company, not be outsourced to a place where the company loses control of the records. You can use software, but the company remains the custodian.
Preserved for at least eight years. Records must be kept for a minimum of eight years after the transactions are complete, and longer if an investigation is pending. For an IPO-bound company, that means the database you build now will be examined well into the post-listing years.
The trading window change you should not misread
One part of the 2025 amendment looks like a relaxation, and it is, but only a narrow one. Where UPSI originates outside the listed entity, the trading window for designated persons and their immediate relatives need not be closed. The logic is practical: a company often cannot control when a third party shares information, so freezing trades the moment external UPSI lands would be unworkable.
Read it carefully though. The relief is only about closing the trading window. The externally sourced UPSI must still be entered in the SDD, generally within two calendar days of receipt. And the core prohibition has not moved an inch: no one in possession of UPSI may trade, whether the information came from inside or outside the company. The amendment removed an administrative trigger, not the underlying duty.
Five mistakes that show up in due diligence
Across pre-IPO reviews, the same gaps recur. First, the SDD is a spreadsheet that three people can edit, which fails the non-tamperable test outright. Second, designated persons are mapped but their immediate relatives are not, so a spouse’s trade goes untracked. Third, the database starts months before the DRHP rather than years before, leaving an obvious gap in the audit trail. Fourth, externally sourced UPSI is ignored on the mistaken belief that no trading window closure means no logging duty. Fifth, the code of conduct is adopted once and never refreshed, so it still references the old eight-item UPSI list. Each of these is cheap to fix early and expensive to explain to a merchant banker later.
The real cost of getting this wrong
This is where the topic stops being academic. The penalty regime for insider trading is among the heaviest in Indian corporate law.
| Contravention | Monetary penalty | Other consequence |
|---|---|---|
| Insider trading / communication of UPSI (Sec 15G) | ₹10 lakh up to ₹25 crore or 3x profit, whichever is higher | Disgorgement of gains, directions under Sec 11B |
| Serious contravention (Sec 24) | Fine up to ₹25 crore | Imprisonment up to 10 years |
| SDD failure / defective database | Separate adjudication penalty | Show-cause notice, governance red flag |
| Code of conduct / disclosure lapse | Routine monetary penalties | Reported in the offer document |
SEBI does not reserve its attention for headline insider trading cases. Its enforcement pattern leans towards steady, routine action on disclosure discipline. To take a recent example of how technical lapses are treated, SEBI’s adjudication trend shows even delayed disclosure of a single material event drawing a penalty in the low single-digit lakhs. A company that cannot produce a clean SDD when asked is handing SEBI the easiest possible finding.
By The Numbers
UPSI events now in the list
or 3x profit max penalty (Sec 15G)
minimum SDD retention
to log externally sourced UPSI
What you must do now: an SDD and UPSI checklist
If your company is listed, this is a refresh. If you are heading towards an IPO, this is foundational. Either way, work through the following steps with your company secretary.
Step 1: Re-adopt the code of conduct. Update the Regulation 9 code of conduct to regulate, monitor and report trading by designated persons. Make sure it reflects the expanded UPSI list and the trading window position for externally sourced information.
Step 2: Re-map designated persons. Identify designated persons, their immediate relatives and material financial relationships. A founder’s spouse and dependent family members are routinely missed and are exactly where SEBI looks.
Step 3: Rebuild the SDD around 16 events. Reconfigure the database so every one of the sixteen UPSI triggers maps to a logging workflow. Fund raises, forensic audits and auditor resignations are the new entries to wire in.
Step 4: Lock down access and tamper-proofing. Confirm the SDD is non-tamperable, time-stamped and access-controlled. If it is still a spreadsheet, replace it before your next board meeting.
Step 5: Run trading window and pre-clearance discipline. Close the window for internal UPSI, keep it open where the trigger is purely external, and enforce pre-clearance for trades above the threshold set in your code.
Step 6: Train the people who actually handle UPSI. The finance team, the deal team and the EAs to the CXOs touch UPSI daily. A one-time circular is not training. Run a short, documented session.
Step 7: Preserve everything for eight years. Set the retention policy in writing and make sure your IT and records process honours it, including for any pending matter.
How this compares with the LODR and ICDR obligations you may already know
Founders often confuse the PIT framework with the disclosure obligations under LODR, or with the IPO-stage rules under ICDR. They are distinct. LODR governs what a listed company tells the market after listing. ICDR governs the issue process itself. The PIT Regulations sit underneath both and govern who may trade and how price sensitive information is controlled, before and after listing. A company can be fully compliant on LODR disclosures and still be exposed on PIT if its SDD is weak. Treat them as three separate workstreams that share the same governance team.
Key Takeaways
- ✅ The PIT amendment 2025 took effect 10 June 2025 and expanded the UPSI list to about 16 events.
- ✅ Fund raises, forensic audits, auditor resignations and third-party guarantees are now explicitly UPSI.
- ✅ The structured digital database must be non-tamperable, time-stamped and kept for at least 8 years.
- ✅ Externally sourced UPSI does not require a trading window closure, but must still be logged, generally within 2 days.
- ✅ Insider trading can cost ₹10 lakh up to ₹25 crore or 3x profit under Section 15G, plus up to 10 years imprisonment.
- ✅ IPO-bound companies should have the SDD and code of conduct live 12 to 18 months before filing the DRHP.
- ✅ PIT, LODR and ICDR are three separate workstreams; clean LODR disclosure does not cure a weak SDD.
The deeper implication
According to CS Sapna Malpani, the 2025 amendment marks a shift in how SEBI thinks about information control. The regulator has moved from asking companies to judge what is price sensitive to telling them to assume most material corporate events are, and to prove the chain of custody for that information. For a board, the safest posture is to over-log rather than argue sensitivity after the fact. Expect the next wave of enforcement to focus less on dramatic insider trades and more on whether the SDD itself was real, complete and contemporaneous. The companies that treat the database as a live governance tool, rather than a file produced for an inspection, will clear due diligence faster and price their issues with fewer last-minute findings.
Sources and references
- SEBI Act, 1992: Section 15G (penalty for insider trading), India Code
- MMJC: SEBI Broadens Scope of Unpublished Price Sensitive Information
- TaxGuru: Structured Digital Database under SEBI (PIT) Regulations, 2015
- Vinod Kothari Consultants: Upsurge in list of UPSI: PIT (Amendment) Regulations, 2025
- Acuity Law: SEBI PIT Regulation Amendment: Strengthening Insider Trading Norms
- Lexology: SEBI’s Recent Adjudication Orders: Disclosure Enforcement Trends
Preparing for an IPO or tightening your insider trading framework?
Estimate your compliance exposure with the MCA Penalty Calculator.
For a confidential governance and SDD review: Contact CS Sapna Malpani | WhatsApp
Frequently asked questions
What changed in the SEBI PIT amendment 2025 UPSI list?
The amendment, notified on 11 March 2025 and effective 10 June 2025, expanded the illustrative UPSI list to roughly sixteen events. New entries include any decision on a proposed fund raise, agreements that may impact management or control, initiation of a forensic audit and receipt of the final report, guarantees or indemnities for third parties outside the normal course of business, grant or withdrawal of key licences, admission of a winding-up or CIRP application, resignation of statutory or secretarial auditors, and award or termination of material orders or contracts.
Is a structured digital database mandatory for unlisted companies planning an IPO?
In practice, yes. The SDD obligation under Regulation 3(5) applies to listed companies and intermediaries, but a company that intends to file a DRHP is expected to have its code of conduct, designated person framework and SDD running before listing. Due diligence teams treat a missing or back-dated SDD as a governance red flag, so build it 12 to 18 months ahead of the issue.
What is the penalty for insider trading and SDD non-compliance in India?
Under Section 15G of the SEBI Act, 1992, insider trading or communication of UPSI attracts a penalty of not less than ₹10 lakh, up to ₹25 crore or three times the profit made, whichever is higher. Serious contraventions can attract imprisonment of up to 10 years under Section 24. A defective or missing SDD has drawn separate adjudication penalties.
Does the trading window need to be closed for UPSI from outside the company?
No. Where UPSI originates outside the listed entity, the trading window for designated persons and their immediate relatives need not be closed. However, that UPSI must still be entered in the SDD, generally within two calendar days of receipt, and no one in possession of UPSI may trade.
How long must a structured digital database be preserved?
The SDD must be maintained internally with adequate controls, must be non-tamperable with time stamps and an audit trail, and must be preserved for at least eight years after the relevant transactions are complete, or longer if an investigation or proceeding is pending.