SEBI SDD Compliance 2026: Why BofA Just Paid Rs 58.5 Lakh and How Listed Companies Can Avoid the Trap

By CS Sapna Malpani, Practising Company Secretary, Bangalore | Published 18 May 2026 | Last updated 18 May 2026

On 4 May 2026, SEBI confirmed receipt of Rs 58.5 lakh from BofA Securities India Limited, the merchant banking affiliate of Bank of America, to settle a show-cause notice that had nothing to do with trading on inside information. The proceedings were not about money made. They were about SEBI SDD compliance — a Structured Digital Database that BofA Securities India was found not to have maintained as required under Regulation 3(5) of the SEBI (Prohibition of Insider Trading) Regulations, 2015. For every listed company, every merchant banker, every fiduciary, and every IPO-bound founder, the message from this settlement order is simple: SEBI is now penalising the absence of process, even when there is no proof of insider trading.

The Problem — Why SDD Compliance Just Became the Single Biggest Listed-Company Audit Risk

Until 2024, most listed-company compliance teams treated the Structured Digital Database as a tick-box exercise. The standard implementation looked like a shared Excel file with a few designated persons listed, a column for UPSI, and an entry roughly once a quarter when board papers went out. That model is now dead. The settlement against BofA Securities India was triggered by a SEBI show-cause notice dated 26 May 2025, alleging that the merchant banker failed to maintain a compliant Structured Digital Database covering the UPSI it received and shared during merchant banking engagements. SEBI did not allege any insider trading. It alleged a process gap, and that process gap alone cost Rs 58.5 lakh, two years of executive attention, and a public settlement order that will now sit on SEBI’s enforcement page for any future regulator, banker, or counterparty to read.

The BofA settlement follows a pattern. The Bombay Stock Exchange issued a Standard Operating Process on 18 October 2024 mandating SOP-level SDD compliance for every listed entity. SEBI’s FAQs of December 2024 reiterated that the database must be tamper-proof, that timestamps must be enforced at entry, and that the records must be preserved for at least eight years under Regulation 3(6). Independent practising company secretaries are now required to certify, in the Annual Secretarial Compliance Report, whether the SDD complies with Regulation 3(5). Any negative observation flows directly to SEBI and to the stock exchanges. Once flagged, an SCN is a matter of when, not if.

For private companies preparing for an IPO, the moment of vulnerability arrives the day the Draft Red Herring Prospectus is filed. All financial data being prepared, the price band under discussion, the anchor investor outreach, and the pre-IPO placement terms become UPSI under the PIT framework. A 12-month-old startup founder who has never thought about SDD now becomes the legal head of UPSI management, and any failure to start the database before DRHP filing becomes a Regulation 3(5) violation the day the listing happens. This is no longer an issue only for large-cap boards. It is a foundational compliance system every funded company must build before scale.

The Penalty Matrix — What SDD Non-Compliance Actually Costs

The Rs 58.5 lakh BofA settlement falls within the Section 15HB matrix — a regulatory civil penalty for failure to maintain records, not a criminal insider trading penalty. The absence of any allegation of trading on UPSI is what kept this from becoming a Section 15G case running into multi-crore territory. Companies that get caught with both an SDD gap and a UPSI trade pattern will face the upper end of the matrix every time.

What Happened in the BofA Case — A Timeline Every Compliance Team Should Read

What makes the timeline instructive is the duration. The SCN was issued in May 2025; the settlement came in May 2026. Twelve months of executive attention, external counsel cost, and compliance team distraction — all of which is invisible in the Rs 58.5 lakh headline figure. The full cost of an SDD failure includes legal fees, internal investigation cost, the time tax on senior leadership, and the reputational signal sent to every listed counterparty looking at the SEBI enforcement page.

The Real-World Compliance Gap — Why Most Listed Companies Are Still Vulnerable

In private conversations with listed-company compliance teams across Bangalore over the last six months, five recurring SDD gaps appear. Every one of them is the kind of finding a SEBI inspection or a practising company secretary’s annual audit will catch. Each gap, on its own, is a Section 15HB risk.

Gap one: the Excel SDD. The vast majority of listed companies, especially mid-cap and small-cap firms, still maintain their SDD as an Excel file on a shared drive. Excel allows back-dated edits, supports no real audit trail, has no enforced timestamping at row level, and cannot be locked down to prevent deletion. The October 2024 BSE SOP is explicit that the database must be maintained with controls that prevent tampering. Excel fails this test before the first entry is made.

Gap two: the missing PAN. Regulation 3(5) requires that every entry capture the PAN of the person sharing UPSI and the person receiving it. Many listed entities capture names but not PANs, on the theory that PAN data is sensitive. The regulator does not accept this. In its December 2024 FAQs, SEBI clarified that PAN is mandatory, full stop.

Gap three: the outsourced SDD. Some companies have handed SDD maintenance to their RTA or law firm, believing this counts as professional outsourcing. Regulation 3(5) explicitly states that the database shall not be outsourced. The accountability is with the head of the organisation and the board. A vendor can host the software, but the day-to-day responsibility for the database content remains with the listed entity.

Gap four: the missing designated persons. The Code of Conduct under the PIT Regulations defines who counts as a designated person. In a growing company, the list changes with every promotion, hire, and reorganisation. Most companies update the SDD designated person list once a year, around the ASCR cycle. Twelve months of staleness in a database that is supposed to be real-time is a Regulation 3(5) failure.

Gap five: the missing trail to board minutes. SEBI inspections cross-reference the SDD against the board calendar, audit committee minutes, and merchant banker engagements. If the SDD has fewer entries than the board paper trail suggests it should, the inspection turns adversarial. The BofA matter began with exactly this kind of reconciliation.

Step-by-Step — How to Build a Regulation 3(5) Compliant SDD Before the Next ASCR Cycle

Step 1 — Map every UPSI source and recipient. Before any software conversation, the compliance team must list every internal team and external party that originates or receives UPSI. Inside the company, this includes the CFO and finance team for quarterly results, the corporate development team for M&A activity, the investor relations team for forward guidance, the legal team for litigation that may be material, the audit committee, and the board itself. Externally, the list includes statutory auditors, secretarial auditors, merchant bankers, RTAs, legal counsel, tax advisors, and any consultant engaged on a material project. The map is the foundation of every subsequent SDD entry.

Step 2 — Pick a tamper-proof SDD software, not Excel. The software must enforce timestamping at the moment of entry, lock the entry against editing, capture PAN, capture the nature of the UPSI (not just a generic tag), record audit trails of every access, and export a daily or weekly log for backup. There are several commercial SDD tools in the Indian market built specifically for PIT compliance, and pricing for mid-cap listed entities is now competitive enough that the cost is a small fraction of the Rs 58.5 lakh BofA had to pay.

Step 3 — Update the Code of Conduct under the PIT Regulations. The Code must explicitly mandate that every UPSI sharing event be recorded in the SDD before the information is shared, not after. This shifts the cultural responsibility from periodic catch-up to operational discipline. The Code update needs board approval and disclosure to the stock exchanges.

Step 4 — Train every designated person quarterly. Section 15HB liability extends to officers in default, which in PIT cases means the head of the compliance function, the company secretary, and the managing director. Quarterly training, with attendance records, demonstrates the kind of internal control SEBI looks for during inspection. Make the training mandatory, record attendance in the SDD audit trail, and refresh the content every quarter.

Step 5 — Run a quarterly internal audit against board minutes. The single most powerful internal control is a quarterly reconciliation of the SDD against the board calendar, audit committee minutes, M&A data room access logs, and merchant banker engagement letters. Every external party listed in a board paper should have a matching SDD entry. Every M&A data room user should be in the SDD. Every merchant banker engaged for a fundraise should have a Reg 3(5) acknowledgment on file.

Step 6 — Obtain the Annual SDD Compliance Certificate. Engage an independent practising company secretary to issue a Regulation 3(5) compliance certificate. The certificate becomes part of the Annual Secretarial Compliance Report filed with the stock exchanges under LODR Regulation 24A. A clean certificate is the single best defence against an SCN. Conversely, a qualified certificate is a flashing red light that draws SEBI’s attention.

Step 7 — Preserve for at least eight years. Regulation 3(6) requires preservation for eight years after the relevant transaction. In practice, listed companies should preserve indefinitely for any ongoing SEBI inquiry. The cost of storage is trivial. The cost of deletion can be a Section 24 criminal prosecution.

The Deeper Implication — SDD Is Now a Pre-IPO Audit Requirement

According to CS Sapna Malpani, the BofA settlement is significant not because of its rupee value but because of who it targets. A merchant banker who builds DRHPs for IPO-bound companies was caught with an SDD gap. This raises an immediate question for every pre-IPO founder: if the merchant banker’s house is not in order, what is happening at the issuer level? Independent practising company secretaries are now routinely asking, during pre-IPO secretarial audits, when did your SDD start, who is on it, and where is the annual compliance certificate. The absence of an SDD that pre-dates DRHP filing is treated as a material observation in the Secretarial Audit Report under Section 204 of the Companies Act, 2013.

The forward prediction is straightforward. SEBI’s enforcement pattern from 2024 onwards has shifted from punishing insider trading after the fact to punishing the absence of preventive controls. The SDD is the most measurable of those controls. Every listed entity that files its FY 2025-26 ASCR with a qualified SDD note can expect a show-cause notice within the following 12 months. Every pre-IPO company that approaches its DRHP filing without a 12-month-old SDD will receive a SEBI observation requiring the gap to be closed before the issue opens. The cost of compliance, at this point, is a fraction of the cost of remediation.

SDD vs No SDD — The Choice That Defines Listed-Company Risk

Comparison with Related Provisions — Don’t Confuse SDD with the Trading Window Restrictions

Many compliance teams treat the SDD as if it were the trading window restriction. They are different controls solving different problems. The trading window under Regulation 9 and Schedule B of the PIT Regulations restricts when designated persons can trade in the company’s securities. The SDD under Regulation 3(5) records who knows the UPSI. Both are required, both run in parallel, and a failure in one does not insulate against a failure in the other. A company with a flawless trading window policy and a broken SDD will still get a Section 15HB penalty. Similarly, the Insider Trading Policy and the Code of Conduct under Schedule B work in tandem with the SDD; the policy defines the rules, the SDD records the evidence, and the trading window is the operational restriction. All three need to be aligned, board-approved, and disclosed.

Pre-IPO founders sometimes assume that SEBI PIT obligations begin only after listing. They begin earlier. The moment the company files its DRHP, the PIT framework engages, and the SDD must be live from at least the DRHP filing date forward. Mature merchant bankers will ask the issuer for the SDD start date as part of the legal diligence. The absence of an SDD predating DRHP filing is a remediation point that delays the SEBI observation letter.

Frequently Asked Questions on SEBI SDD Compliance 2026

What is SEBI SDD compliance and who must maintain a Structured Digital Database?

SEBI SDD compliance refers to maintaining a Structured Digital Database under Regulation 3(5) of the SEBI (Prohibition of Insider Trading) Regulations, 2015. Every listed company, intermediary (merchant banker, registrar, banker to issue), and fiduciary (auditor, legal advisor, consultant) handling Unpublished Price Sensitive Information must maintain an SDD with the nature of the UPSI, names and PANs of persons sharing the information, names and PANs of persons with whom it is shared, with timestamps and audit trails. The database cannot be outsourced and entries cannot be modified once made. Records must be preserved for at least eight years after the relevant transactions.

What is the penalty for failing SEBI SDD compliance in 2026?

Under Section 15HB and Section 15G of the SEBI Act, 1992, failure to maintain a compliant Structured Digital Database can attract a monetary penalty ranging from Rs 10 lakh to Rs 25 crore, or three times the profits made out of insider trading, whichever is higher. BofA Securities India paid Rs 58.5 lakh in May 2026 to settle proceedings, demonstrating that even passive non-maintenance, without proof of insider trading, is being penalised. Stock exchanges also impose additional fines, and the listed company’s Annual Secretarial Compliance Report flags any SDD gap to SEBI.

Why did BofA Securities India pay Rs 58.5 lakh to SEBI in 2026?

BofA Securities India, a merchant banker affiliate of Bank of America, paid Rs 58.5 lakh in May 2026 to settle a SEBI show-cause notice issued on 26 May 2025. The notice alleged that BofA Securities India failed to maintain a compliant Structured Digital Database under Regulation 3(5) of the PIT Regulations, 2015. The merchant banker filed a settlement application on 1 July 2025, the high-powered advisory committee recommended settlement in April 2026, and the remittance was confirmed by SEBI on 4 May 2026. The matter was settled without admission or denial of guilt.

Does SDD compliance apply to unlisted IPO-bound companies?

Yes. The moment a company files its Draft Red Herring Prospectus, SEBI treats it as covered by the PIT framework. Pre-IPO companies must start their SDD before the DRHP is filed because all financial data, the listing strategy, the price band, anchor investor names, and pre-IPO placements constitute UPSI. Independent practising company secretaries auditing pre-IPO compliance now flag the absence of an SDD as a red-flag observation in the Secretarial Audit Report, which directly feeds into the SEBI observation letter process and can delay IPO clearance.

Can SDD be maintained on Excel or Google Sheets?

No. Excel and Google Sheets do not meet Regulation 3(5) because both allow back-dated edits, lack tamper-proof audit trails, and have no enforced timestamping. SEBI expects the database to be maintained in software that supports immutability, automated timestamps, audit trails, PAN integration, and an annual independent compliance certificate. The BSE Standard Operating Process circular dated 18 October 2024 explicitly states that the database shall not be outsourced and must operate with internal controls that meet the spirit of Regulation 3(5).

What is the difference between SDD compliance and the Annual Secretarial Compliance Report?

The Structured Digital Database is the operational record listed entities must maintain in real time. The Annual Secretarial Compliance Report is the certification a practising company secretary issues to confirm whether the SDD has been maintained as per Regulation 3(5). Both work in tandem. The SDD is the evidence and the ASCR is the third-party attestation filed with stock exchanges. SEBI uses inconsistencies between the two to open investigations, as seen in several recent adjudication orders from 2024 onwards.

How long must the Structured Digital Database be preserved?

Under Regulation 3(6) of the PIT Regulations, 2015, the Structured Digital Database must be preserved for at least eight years after the completion of the relevant transactions. If SEBI initiates an investigation or enforcement proceeding, the SDD relating to that matter must be preserved until the proceeding ends, even if the eight-year period has expired. Companies that delete or overwrite SDD records face separate penalties for destruction of evidence, which can lead to imprisonment under Section 24 of the SEBI Act.

Sources and References

1. SEBI — Settlement Order in the matter of BofA Securities India Limited (May 2026)
2. SEBI — Comprehensive FAQs on SEBI (PIT) Regulations, 2015 (December 2024)
3. SEBI (Prohibition of Insider Trading) Regulations, 2015 — Bare Text on IndiaCode
4. SEBI — PIT Regulations, 2015 (last amended 19 March 2024)
5. ICSI — Advisory for SDD Compliance by Fiduciaries (28 February 2024)
6. Cyril Amarchand Mangaldas — Decoding SEBI’s Tech Arsenal for Insider Trading: Structured Digital Database
7. Business Standard — BofA Securities India settles alleged insider trading matter with SEBI (May 2026)

Disclaimer: This article is general guidance based on the SEBI Settlement Order in the matter of BofA Securities India Limited and the SEBI (Prohibition of Insider Trading) Regulations, 2015. It does not constitute legal advice. Specific cases require independent professional review.