Strengthening India’s Corporate Bond Market: A Look at NITI Aayog’s Recommendations

/0 Comments/in , , , /by

Simrat Singh | finserv@vinodkothari.com

India’s aspiration to become a US $30 Trillion economy by 2047 rests on its ability to mobilise long-term, stable and affordable capital. Debt capital can be an attractive source for this. While banks have historically been the backbone of credit intermediation in India, a bank-dominated financial system may be inadequate to meet the financing needs of a developing country like India which includes long-gestation exposures to infrastructure, climate transition, manufacturing and other emerging sectors. Recognising this constraint, NITI Aayog’s report on Deepening the Corporate Bond Market in India (‘Report’) lays out reforms to develop corporate bonds as another major tool for mobilising long-term low-cost capital. 

In this note we highlight some of the reforms being advocated in the Report.

Key Thrust Areas of Reforms:

Regulatory Efficiency 

A central theme of the Report is the need to reduce regulatory friction arising from fragmented and overlapping oversight by SEBI, RBI and the MCA for corporate bonds. Inconsistent treatment of similar bonds, procedural complexity, overlapping disclosures and different approval timelines are identified as major constraints, particularly for public issuances and lower-rated issuers. A specific concern highlighted is issuer-based regulation: bonds issued by banks and NBFCs are regulated by the RBI, while similar bonds issued by non-financial corporates fall under SEBI and MCA oversight. This results in different disclosure standards and compliance processes for similar bonds

To combat this, first, the Report calls for stronger inter-regulatory coordination and recommends measures such as mutual recognition of disclosures, a joint regulatory help desk/single point of contact as well as joint circulars detailing the jurisdictions of each regulator – essentially a centralised coordination mechanism involving SEBI, RBI, MCA and the Ministry of Finance.

Second, the Report emphasises the need to rationalise disclosure norms for public bond issuances, which are significantly more onerous than those applicable to private placements. This asymmetry has led to an overwhelming reliance on private placements, which account for nearly 98% of corporate bond issuances in India (p. 25). Drawing on global practices, the Report recommends a differentiated disclosure regime for well-compliant issuers (p. 66). Specific reforms include extending the validity of offer documents from one year to two or three years, removing ISIN-wise issuance constraints, simplifying PAS-2 and Information Memorandum filings through digital automation on the MCA portal, and introducing a “Well-Known Seasoned Issuer” framework to enable fast-track access to public bond markets for reputed issuers.

Third, the Report stresses the need for regulatory clarity for hybrid instruments, including covered bonds1, securitised debt and infrastructure-linked securities. Many instruments used globally to fund long-term assets do not fit neatly within India’s regulator-specific silos. Jurisdictional ambiguity (which regulator oversees which instrument?) and the absence of standardised regulatory treatment have impeded market development. The Report recommends clearly defined frameworks to facilitate market clarity. In this context, it also highlights tax distortions; for instance, SDIs2 currently attract significantly higher TDS than corporate bonds. The Report states that SDIs are taxed at a higher rate than corporate bonds which prevents securitisation of bonds. However, effective 1.04.2025, SDI TDS rates are aligned with bond rate; both at 10% (See section 194LBC of Tax Act).

Market Infrastructure and Liquidity

Bonds are heterogeneous instruments, varying by type of issuer, tenor, covenants and structure. Unlike equities, electronic order matching alone cannot ensure immediacy of execution or continuous liquidity in the secondary market, particularly in lower-rated or infrequently traded bonds. Despite progress through electronic platforms such as RFQ for secondary trading and EBP for primary issuance, trading volumes remain shallow and concentrated in highly rated bonds.

The Report recommends expanding electronic trading, enhancing post-trade reporting (to improve price discovery) and increasing the proportion of trades settled on a Delivery-versus-Payment (DVP) basis3. Absence of a robust market-making ecosystem is seen as a major constraint on secondary-market liquidity (pp. 22, 36, 106). Limited risk appetite and balance-sheet constraints deter intermediaries from providing continuous two-way quotes, especially in lower-rated and longer-tenor bonds.

To address this, the Report recommends enabling market-making through regulatory incentives and improved access to repo markets. In particular, the creation of a standing repo facility by RBI for high rated corporate bonds would allow market makers4 to monetise inventories efficiently and support continuous liquidity provision. While corporate bonds are included in the RBI’s list of repo-eligible instruments, their treatment differs materially from Government securities (G-Secs). Repos in G-Secs are exempt from CRR and SLR computation which means Banks can access funds through G-Sec repos without providing SLR and CRR on those funds. In contrast, cash raised through repos backed by corporate bonds is treated as a liability for CRR and SLR purposes, hence banks have to provide CRR and SLR on the resulting liquidity. Also, unlike G-Secs, which are centrally cleared and settled through CCIL, corporate bond repos lack a single, standardised clearing and settlement mechanism; they are cleared through F-TRAC and stock exchanges. The result is that the volume of corporate bond repo is negligible (exact data on corporate bond repo could not be sourced).

The Report also flags structural weaknesses in the credit rating ecosystem, including rating inflation, conflicts of interest under the issuer-pays model, and excessive regulatory reliance on ratings (p. 71). Strengthening governance standards is the key recommendation for credit ratings. To improve credit rating access for smaller issuers, the Report suggests exploring alternative credit assessment models, including technology-driven frameworks using GST-returns and other turnover based data and digital transaction histories.

Further, the Report recommends strengthening the existing framework requiring large corporates to raise a portion of incremental borrowings through debt securities (LCB Framework)5. Proposed enhancements include increasing the minimum market borrowing requirement and progressively extending the framework to smaller corporates with lower thresholds.

Drawing on the IMF’s FSAP 2025, the Report also recommends allowing high-quality corporate bonds to be used as collateral in RBI’s repo operations. International experience from the ECB, Bank of Japan, and Reserve Bank of Australia suggests that such measures can enhance secondary-market liquidity and broaden the investor base, subject to appropriate safeguards.

Equally important is the creation of a government-backed, centralised corporate bond data repository. Fragmented data across regulators and exchanges currently hampers price discovery and covenant monitoring. A unified, real-time repository is recommended to improve transparency for issuers, investors, and regulators.

Innovation in Instruments and Market design

The Report makes it clear that regulatory reforms alone are insufficient; product and market innovation are essential to expand depth and distribute risk. India’s bond market remains narrow not only due to investor risk aversion but also due to the limited availability of instruments aligned with diverse risk–return preferences and long-gestation financing needs. Green bonds, sustainability-linked bonds6, and transition bonds are identified as important instruments for financing climate action and infrastructure. However, the absence of a standardised green taxonomy and concerns around greenwashing have constrained growth. The Report, therefore, recommends establishing clear definitions, disclosure standards and verification frameworks to ensure credibility and scale ESG-oriented bond markets.

The Report proposes institutionalising a dedicated class of Corporate Bond Dealers (CBDs), modelled on the U.S. primary dealer system. Eligible banks, NBFCs and other financial institutions would be required to provide continuous two-way quotes, supported by incentives such as capital relief on bond inventories and access to RBI refinance and repo facilities. Enhanced market surveillance, real-time trade reporting, price dissemination and inventory disclosures are also recommended.

Investor and Issuer Participation

Broadening the investor base is identified as another critical reform pillar. Long-term institutional investors such as insurance companies, pension funds and provident funds are natural holders of long-duration bonds, yet regulatory investment norms constrain exposure only to higher-rated securities. The Report recommends a calibrated relaxation of these norms.

For retail investors, the Report proposes lowering minimum investment thresholds (from existing ₹ 10,000), increasing retail quotas in public bond issuances, particularly for tax-free and ESG-linked bonds7, and simplifying TDS provisions to address tax inefficiencies in secondary market trades. OBPPs have been acknowledged to contribute to secondary market liquidity, however, the volumes are low. Further, there is no mention of concerns w.r.t downselling through OBPPs which was recently highlighted by SEBI8

On the issuer side, India’s corporate bond market remains heavily concentrated among AAA and AA-rated entities. To address this imbalance, the Report advocates scaling up credit enhancement mechanisms such as PCEs and support from development finance institutions. It also highlights the need to promote longer-tenor issuances, especially for infrastructure and climate-linked projects, where asset lives significantly exceed typical corporate bond maturities. In this context, it is noteworthy that NITI Aayog has cited our resource, “Partial Credit Enhancement: A Catalyst for Boosting Infrastructure Bond Issuances?”, in the Report while discussing the role of partial credit enhancement mechanisms in deepening the corporate bond market (pp. 75 and 99). Further, regulatory subsidies for first-time or low-volume issuers and pooled issuance platforms to facilitate market access for smaller issuers is also recommended (pp. 65, 75).

The Report recognizes that CDS are underdeveloped. Currently, CDS can be purchased only by investors who already own the underlying bond, which prevents trading in the CDS market. Further, only single-name CDS are permitted, which means a separate CDS contract is required for each issuer, unlike global markets such as the U.S., where index CDS allows one CDS to cover a basket of bonds. Lastly, there is a limit on FPI investors providing CDS which is 5% of the outstanding corporate bond market. These restrictions have resulted in limited CDS protection. The Report also recommends bigger NBFCs to act as CDS market makers

Conclusion

NITI Aayog’s recommendations envisage a corporate bond market that evolves from a supplementary funding channel into a core pillar of India’s financial system. If implemented in a coordinated manner, these reforms could expand the market to ₹100–120 trillion by 2030, improve financial stability, and channel long-term capital into productive investment. The real challenge, however, lies in execution, particularly in achieving sustained regulatory coordination and market-making capacity. Addressing these constraints will be critical if corporate bonds are to play a meaningful role in financing India’s long-term growth and infrastructure ambitions under the vision of Viksit Bharat by 2047.

See our other resources on bonds

  1. Bond Credit Enhancement Framework: Competitive, rational, reasonable
  2. Demystifying Structured Debt Securities: Beyond Plain Vanilla Bonds
  3. Bond market needs a friend, not parent
  4. SEBI Securitisation Regulations: Track Record, Risk retention and Investment size among several new requirements
  5. Mandatory listing for further bond issues
  6. NHB’s PCE Scheme for HFCs
  7. Corporate Bonds and Debentures
  1. Covered bonds are secured debt instruments backed by a segregated pool of high-quality assets, offering investors dual recourse to both the issuer and the underlying assets. May refer to our resource on covered bonds. ↩︎
  2. May refer to our book Listing Regulations on Securitised Debt Instruments and Security Receipts ↩︎
  3. DVP is a settlement mechanism in which the transfer of securities and funds occurs simultaneously, eliminating counterparty and settlement risk
    ↩︎
  4.  May refer to our resource ‘Bond issuers set to become Market Maker to enhance liquidity’ ↩︎
  5. May refer to our resource ‘Mandatory bond issuance by Large Corporates: FAQs on revised framework’ ↩︎
  6. May refer to our resources ‘Sustainability or ESG Bonds’ and ‘From Rooftops to Ratings: India’s Green Securitisation Debut’ ↩︎
  7. May refer to our resource ESG Debt Securities: Framework for Issuance and Listing in India ↩︎
  8. May refer to our resource “Downstreamed through intermediaries: Deemed public issue concerns for privately placed debt” ↩︎

Dilemma of Duty: Companies in a fix as State demands Stamp Duties already paid as per Central law

/0 Comments/in , /by

– Sikha Bansal and Nitu Poddar | corplaw@vinodkothari.com

Published in Moneylife on December 16, 2025

The Indian Stamp Act, 1899 (“Stamp Act”) was amended in 2019 by the Finance Act, 2019 (“Amendment”), broadly – to introduce a unified mechanism for levy and collection stamp duty on issuance and transfer of securities, by insertion of sections 4(3), 9A, 9B, 62A, 73A, Article 56A among others. That Amendment introduced a unified, nationally applicable stamp duty framework that prescribes 0.005% as the duty on the issue of shares, to be collected centrally through depositories. This is how the era of dematerialised issuance of capital market instruments was ushered and furthered. 

After more than 5 years of the Amendment,  Delhi-based companies have begun receiving notices from the Delhi Revenue Department questioning the stamp duty paid on the issue of shares. The Department has, in fact, issued Letters to the depositories [NSDL, CDSL] asserting that stamp duty ought to have been paid at the rate of 0.1% on the value of shares issued, based on Article 19 of the State stamp law, disregarding the 2019 Amendment, and prohibiting the  depositories from collecting stamp duties on their behalf.

The State move has triggered uncertainty regarding share issuances effected after 1 July 2020, when the amended Stamp Act came into force. The communications issued by the Revenue Department of Delhi , with an ask of  duty which is 20 times more than the rate approved by the Parliament, disregard and challenge this uniform regime, leaving the companies grappling with compliance ambiguity and the risk of retrospective financial exposure, despite having followed the statutory mechanism approved by the Parliament.
If other States start asking for duties as per their respective laws, the intended harmonisation of stamp laws will soon turn into a cacophony!

This article touches upon the objective of the Amendments and looks for potential answers on the way forward.

The Amendment: a Unified Scheme

Pursuant to the Amendment, sections 9A and 9B were introduced in the Stamp Act. Section 9A is a non-obstante provision, which mandates that the depositories shall collect the duty on behalf of the State Government (“SG”) from the issuer, on the total market value of the securities. Similar provisions are there to deal with sale or transfer of securities. Section 9A(2) provides for levy of stamp duty as per the applicable rates given in Schedule I. Currently, as per Article 19 read with Article 56A of Schedule I, the stamp duty on the issue of shares is fixed at 0.005%. 

Notably, section 9A(3) expressly prohibits SGs from levying or collecting stamp duty on instruments covered under Section 9A(1), including the issue/sale/transfer of shares. Therefore, it is clear from a reading of bare provisions of the Stamp Act, that it was a conscious call to unify the mechanism for levy and collection of stamp duties, albeit, the right of the SGs to receive the duty remains protected – as the depositories will collect the stamp duty, only on behalf of the SGs. 

Rationale for the Amendment

The rationale and intent behind the Amendments was given in the Statement of Objects and Reasons in the Finance Bill, 2019 as follows:

“13. Clauses 11 to 21 of the Bill seek to amend the Indian Stamp Act, 1899 for levy and administration of stamp duty on securities market instruments by the States at one place through one agency, viz., through Stock Exchanges or its Clearing Corporation or Depositories on one instrument, and for appropriately sharing the same with respective State Governments based on State of domicile of the ultimate buying client.”

The Press Release by the Ministry of Finance dated Feb 21, 2019 states that, “In order to facilitate ease of doing business and to bring in uniformity and affordability of the stamp duty on securities across States and thereby build a pan-India securities market, the Central Government, after due deliberations, in exercise of powers under Entry 91 of the List I and Entry 44 of List III of the 7th Schedule of Indian Constitution, has decided to amend the Indian Stamp Act, 1899 to create the legal and institutional mechanism to enable states to collect stamp duty on securities market instruments at one place by one agency (through Stock Exchanges or Clearing Corporations authorized by it or by the Depositories) on one Instrument and develop a mechanism for appropriately sharing the stamp duty with relevant State Governments.

Further clarification on implementation of the Amendments was given vide Press Release dated June 30, 2020 which also reiterated the above and indicated that the Amendments were done after due consultation with State Governments.

See also, RBI Press Release dated July 1, 2020.

As it appears from the aforesaid Press Release, and also the Budget Speech for 2018-19 by the then Finance Minister, Shri Arun Jaitely, necessary consultation has been done with the States before amending the Central Act. Section 9A(4) specifically mandates that the 2019 Rules governing collection of stamp duty through depositories be framed in consultation with SGs

The question of constitutionality and legal principles

The issue, as it appears, involves a question of constitutionality. The Centre has enacted the Amendments citing “Entry 91 of List I: rates of stamp duty on instruments including transfer of shares and debentures” and “Entry 44 of List III: stamp duties other than judicial stamps, excluding “rates of stamp duty”. 

However, the Delhi Revenue Department appears to be disregarding the Amendments possibly on the following grounds:

  • Entry 63 of List II covers “rates of stamp duty” on documents other than those in List I. As such, this is the Entry which empowers the SG to decide on the rates of stamp duty.
  • Entry 91 of List I covers only “transfer” of shares, not “issue” of shares. As such, SG is the appropriate authority which can levy stamp duty on “issue of shares”.
  • Entry 44 of List III excludes “rates of stamp duty” from the concurrent list (which might lead to an inference that Centre cannot make laws on rates of stamp duty).
  • A further contention is that the depositories were not authorised by the Delhi Government to collect stamp duty on its behalf. 

Now, the question of constitutionality is itself a complicated matter, and is subject to judicial examination and interpretation. However, until the question of constitutionality is settled, any act/omission to act should ideally be judged on the basis of these two very important principles: One, Central law prevails over State laws, and two, presumption of validity of laws, as discussed below.

Prevalence of Central Law over State Law

First, that in case of inconsistency, if at all, between the law prescribed by the Centre and law prescribed by the State, the Central law prevails. Once Parliament legislates within its competence, and particularly when the legislation is later in time and designed to create a comprehensive framework, the Central law prevails in case of conflict. This is also referred to as doctrine of repugnancy. The Supreme Court has consistently affirmed the primacy of Parliamentary legislation in cases of overlap or conflict. 

See an exhaustive discussion on the doctrine of repugnancy in Forum for People’s Collective Efforts (FPCE) & Anr. v. the State of West Bengal and Others (2021). See also, I.T.C. Ltd. Etc v. State Of Karnataka (1985), in which the Supreme Court also observed that, “There may also be cases where despite an entry being in List II, the Parliament may under the provisions of Art. 246(3) take over that particular field and legislate on that subject which will debar the late legislative from adding or passing any such legislation which has been taken over under Act. 246(3).” See also, Baijnath Kedia v. State Of Bihar(1969).

Applied to the present context, the intent behind the 2019 amendment was unambiguous – to harmonise stamp duty on securities across India and eliminate State-level divergences that impede market efficiency.

Presumption of validity of law

Secondly, it is a well-established principle that there is a presumption always in favour of constitutionality of law, until a competent court declares it unconstitutional.  The onus to prove otherwise is on the person challenging it. In Chiranjit Lal Chowdhuri v. Union of India and Others, the Supreme Court observed, “ . . .the presumption is always in favour of the constitutionality of an enactment, and the burden is upon him who attacks it to show that there has been a clear transgression of the constitutional principles.” See also, Nand Kishore v. State of Punjab, Dharmendra Kirthal v. State of Uttar Pradesh and Another.

Therefore, in so far the question of constitutionality of the Stamp Amendments is concerned, the said Amendments have not been struck down by any court of law. Hence, there shall be a presumption that the Amendments are constitutionally valid and the stakeholders remain bound by the central framework. 

Depositories as statutory collecting agents

The contention that depositories require authorisation from individual State Governments is misplaced. Depositories collect stamp duty not as agents appointed by States but as statutory collecting authorities designated by Parliament under the Act read with Rules. Once Parliament has prescribed the mode of collection, State consent is not required.

Could Companies have paid any duty other than 0.005%?

Operationally, no. Companies issuing shares in dematerialised form have no option but to pay stamp duty at the rate of 0.005 percent. Depositories auto-calculate and collect duty at 0.005% based on the consideration value, leaving no discretion to issuers. The stamp duty calculator on the website of the depository also calculates the duty at the rate of 0.005% of the issue size. Further, CDSL’s SOP states, “the issuers have to remit applicable stamp duty to CDSL in the designated bank account before executing the corporate action in the system. If sufficient stamp duty amount is not present against the issuer, then the corporate action setup/ file uploaded by RTA remains under ‘Pending for Stamp Duty’ Status in CDSL system. In case of issuance stamp duty is applicable @0.005% of the consideration value. A stamp duty calculator has also been provided on the website for the purpose of applicable stamp duty. “

Potential steps for the companies 

From the discussion above, it is clear that:

  • the Amendment has been issued by the Central Government, 
  • the Amendment is later in time than the Delhi Amendment Act, 2001, 
  • so far, no competent court of law has declared it unconstitutional, and
  • duty paid by companies was not discretionary or something which companies would have controlled, but statutorily embedded into the functioning of the centralised system under Section 9A.

As such, all concerned are bound by such law. No fault can lie with the issuer companies which simply complied by the Centre-enacted law, and paid duty as per directions of authorities. 

Given the situation, the companies which receive any similar notice can take the following steps (to be evaluated on a case-by-case basis): 

  • Respond to the notices by citing Section 9A and enclosing evidence of duty paid through the depository;
  • Seek clarification from the Depositories and the Ministry of Finance;
  • Consider approaching the High Court by filing a writ under Article 226 to challenge the notices if enforcement action is initiated;
  • Evaluate whether any disclosure is necessary in the financial statements, depending on the wording of the notice and the likelihood of enforcement.

Closing Remarks

The unified stamp duty framework introduced in 2020 is a considered step calling for centralisation of duty collection on securities. As the communications by the Delhi Revenue Department  attempt to enforce a pre-2020 State rate, it is quite possible that the issue goes for judicial determination, mainly on the grounds of constitutionality. In any case, until the question of constitutionality is determined, the presumption of validity exists in favour of the Amendments. 

Our other resources:

  1. Article Corner on Stamp Duty
  2. Stamp duty on amalgamation with subsidiaries: Clash of court rulings
  3. Recent Amendments in Indian Stamp Act, 1899

The fine line between gossip and truth: conflicting rulings on price sensitive information disclosure

/1 Comment/in /by

– Saloni Khant, Executive | corplaw@vinodkothari.com

If there is a truth that the market needs to know, it is the duty of the company to let the market know it, no later than the truth becomes good for disclosure. It is no good for the company to sit smirking and watch unofficial media reports do rounds, even if these unofficial reports are as close to the truth as the company would have revealed. The duty to reveal does not get over with seeing the truth out through unofficial means. In fact, that raises even a larger concern: one, that the company failed its duty to speak the truth, and two, if the company did not reveal it, how did the market know it, and know almost the whole of the truth.

This is the law that we learnt and believed. This is the law that the SC in its December 2, 2025 ruling laid. This is the law that was reinforced by a clear language specifically amended vide the SEBI (PIT) (Amendment) Regulations, 2024

However, insider trading matters always tend to become so very case-specific that every case seems to say a different story. Some cases tell a story that one may not like to carry or use as a precedent, for example, the order dated December 12, 2025 by the Quasi-Judicial Authority, SEBI, in the matter of a large listed entity. 

In this article, we discuss what would be construed as “unpublished”, hence, UPSI, in the light of the recent SC order vis-a-vis recent and past rulings of SEBI on the subject. 

Meaning of UPSI

The definition of UPSI, as given under Reg 2(1)(n) of the PIT Regulations, 2015, contains the following elements: 

(i) There is an information

(ii) The information relates to the company or its securities, directly or indirectly

(iii) The information is not generally available, that is, unpublished.

(iv) The information is likely to materially affect the price of the securities upon becoming generally available, that is, price-sensitive

A list is also given, of information that would ordinarily be considered UPSI. 

Thus, in order to be construed as UPSI, both “unpublished” and “price-sensitivity” shall be present. In the absence of one of these, the information does not remain UPSI. In order to qualify as “unpublished”, the same shall not be “generally available information”. 

Generally available information and unverified media reports 

Generally available information is defined under Regulation 2(1)(e) as 

“Information that is accessible to the public on a non-discriminatory basis and shall not include unverified event or information reported in print or electronic media.

The phrase “shall not include unverified event or information reported in print or electronic media” was inserted pursuant to the SEBI (PIT) (Amendment) Regulations, 2024 following the Consultation Paper dated December 28, 2023

The CP pertained to verification of market rumours, and proposed that: 

In case the listed entity has classified certain information as UPSI and the entity neither confirms, denies or clarifies market rumour pertaining to such information published in the media, then such media reports should not be used later by an insider as a defence that the information was ‘generally available’.

Thus, an unverified media report does not constitute “generally available information”. 

Verdict of Supreme Court

In its order dated December 2, 2025, the Supreme Court upheld a penalty of Rs. 30 lakh on a listed entity for non-disclosure of UPSI to the stock exchange when the information had already been widely disseminated by news agencies. It upheld that 

Selective leakage of the information, howsoever accurate or otherwise or complete or in bits and pieces, does not discharge the company from its responsibility of making prompt disclosure to make it generally available, more so when such information has been classified by company as UPSI.’

Recent Order passed by SEBI contrary to SC’s verdict 

In a later order dated December 12, 2025, the charges against the alleged insiders were leakage of UPSI and trading while in possession of UPSI. The alleged UPSI in the instant case was acquisition of a company in the same sector which would lead to a major increase in operational capacities. The Company disclosed the same officially only on execution of the share purchase agreement on May 19, 2025, while several press reports appeared about the very same news on May 16, 2025 and May 17, 2025. In its order, the Quasi Judicial Cell (QJC) , SEBI dropped charges against the company primarily on the ground that the “news” was already in public domain. The QJC has reproduced extracts from several such media reports, none of which were based on a disclosure made by the company.  Based on these reports, QJC held that the information “ceased to be UPSI as it was available on non- discriminatory basis and became generally available information after the publication of the news reports”. The QJC cited several past rulings to support its view, even though, before the QJC order dated December 12, 2025, rulings of SAT as also the December 2, 2025 ruling of SC were also available, and not cited in the QJC Order. 

Is this order one of its kind, or does it serve as a precedent? If it serves as a precedent, then it seems to be unsettling the law, apparently settled after the specific amendment made in May 2024

We take note of the various rulings in the matter.

A. Rulings favouring unverified media reports as “unpublished” or “selectively available” information 

In a February 2021 order,  SEBI held that statements made by the Chairman/ Managing Director of a company in response to an interview to select news channels does not result in making an information “generally available”. This was based on the reason that: 

“The said information was very fluid and nebulous as it was bereft of specific details as to how this restructuring will ultimately be executed. Questions and response to the questions posed during the interview were varied and did not contain all the information in uniform/structured manner.”

In a November 2020 order, it was observed that news reports about an UPSI without any specific details and supporting evidence for its contents does not result in making that UPSI generally available. 

In a June 2020 order, SEBI, referring to the definition of “unpublished” under the 1992 Regulations, held that media reports are speculative in nature, and hence, unless published by the Company, cannot be treated as published information.

B. Rulings favouring unverified media reports as “generally available” information 

The recent December 12 order of SEBI draws reliance on various past rulings on the subject. The same has been briefly discussed below. 

An appeal against a SEBI order, back in 1998, decided by the then Appellate Authority (erstwhile Ministry of Finance) observed:

For information to be generally known, it is not necessary that it be confirmed or authenticated by the company as otherwise, it would fall within the scope of ‘published by the company.

xx

Information which was published in press reports despite non -acknowledgement by the Company, was generally available/ known information if ‘there are strong reasons to believe that the impending merger, though not formally acknowledged or published, was in one sense generally known and UTI’s denial of knowledge cannot be implied to mean that market in general had no information in this regard.

This order attempted to distinguish between “unpublished” and “generally available” information. However, following the said order, the 1992 Regulations were amended by a 2002 amendment to clarify that – “Speculative reports in print or electronic media shall not be considered as published information”. 

In a December 2023 order of SAT where the information in relation to a proposed merger became available in public domain through news articles, digital media, etc, such media-published information was considered as making the information “generally available”. 

“Thus, the contention of the respondent that the term “generally available information” means only the information which has been disseminated on the platform of the stock exchange is taking a very narrow and restrictive view. Whereas information published on the stock exchange would constitute generally available information, it would also follow that any information accessible to the public on non-discriminatory basis would also be generally available information.

Thus, publication of information regarding the transaction which was reported in multiple prince and digital publication including Economic Times, The Hindu Business, Business Lines, The Money Control, etc. wherein the nature of transactions was highlighted in depth clearly leads to an irresistible conclusion that information of the transaction was generally available”.

A similar view was taken by SEBI in an October, 2020 order where based on the wide viewership of the media, the UPSI was considered to become generally available. 

In a January 2018 order, SEBI held that UPSI related to receipt of a show cause notice becomes public from the date of its publication in a specific newspaper.

Leakage of UPSI

Parallel to the disclosure requirements applicable on the company, the leakage of UPSI through media reports also require companies to do an inquiry into the source of the leakage, and review of the internal processes to monitor and avoid any future instances of leakage of UPSI. 

Conclusion 

Despite the above QJC Order, we are of the view that the duty to make truthful disclosure is that of the company; the company cannot either remain silent, or treat media gossip as the revelation of truth. As Manusmriti 2.83 says: मौनात् सत्यं विशिष्यते. 

Author’s Comment: 
The  facts of the case in the 12th December ruling of SEBI pertain to a matter in 2021. The mandatory requirements with respect to rumour verification were first notified in 2023, with subsequent extension of dates to its applicability. Amendments in the definition of “generally available” information were also notified in May 2024. As such, the ruling is based on the position of law prior to such amendments, and is based on the views taken by SEBI and SAT in similar other matters.  
We understand that every quasi judicial decision is based on the facts of the matter, application of the law on the specific factual matrix, etc. In the instant case, the issue under consideration might have been whether, after the press releases precisely giving out the details of the matter, would there have been any additional information by the company, even if the company was to give its own disclosure.

Our other Resources:

  1. Failure to disclose price sensitive information: SC upholds penalties
  2. Prohibition of Insider Trading – Resource Centre
  3. Defining Duty: Extent of Liability of a Compliance Officer under Insider Trading Regulations

RBI Guidelines on Current Account and OD Facilities: Key Provisions

/0 Comments/in /by

– Anita Baid | finserv@vinodkothari.com

RBI has introduced significant amendments concerning the opening and operation of Current Accounts and Overdraft (OD) facilities. In case of commercial banks, the new provisions contained in Chapter XIA – ‘Opening of Current Accounts and CC / OD Accounts by Banks’, replace the erstwhile framework outlined in Chapter XI of the Reserve Bank of India (Commercial Banks – Credit Risk Management) – Amendment Directions, 2025. The revised guidelines aim to rationalize the restrictions, particularly by increasing the minimum exposure threshold for applicability and providing explicit exemptions for Cash Credit (CC) facilities, thereby streamlining the management of working capital and banking arrangements for corporate borrowers.

Read more

Shastrartha 25 – Regulations for Banking Group Entities

/0 Comments/in /by

Register your interest here: https://forms.gle/cfHXEVc39B4g14ek6

A 5th December 2025 RBI amendment has introduced significant changes to the manner in which business activities may be allocated among banks and entities within banking groups, including NBFCs, HFCs, securities broking entities, AMCs, and others. These changes impact all banks with non-banking subsidiaries or associates, as well as all NBFCs, HFCs, and related entities forming part of banking groups.

Some of the requirements come into effect as early as 31st March 2026, creating an urgent need for impacted entities to reassess, restructure, or reposition their business models and inter-group arrangements.

We intend to examine these developments in depth. Given the nature and implications of the amendment, the session will include active interaction with seasoned banking and finance professionals.

You are invited to express your interest in joining this interactive discussion, scheduled for December 15th, 2025 | 6:00 p.m. onwards | YouTube & Zoom Live.

Other Resources:

A New Way to Verify Aadhaar Offline: Introduction of Face Matching

/0 Comments/in /by

– Anita Baid | finserv@vinodkothari.com

The identity verification process, specifically in case of digital transactions, has taken another step with the introduction of the Aadhaar Verifiable Credential (AVC) verification process. Introduced vide the Aadhaar (Authentication and Offline Verification) Amendment Regulations, 2025, this intends to ease the KYC verification process by regulated entities. 

For all these years, aadhaar verification relied primarily on authentication mechanisms such as OTP or biometric scanning or various forms of offline verification such as QR code verification or e-aadhaar verification or offline paper based verification. While authentication requires interaction with the UIDAI’s central servers; offline methods can be prone to manual handling and lack the security assurance that comes with a digitally verifiable central record.

Existing Offline Verification Mode

Regulated entities like banks and NBFCs, have a requirement of performing identity verification or KYC, make use of Aadhaar offline verification for the same. The common modes of offline verifications are as follows:

  1. Collection of the Aadhaar letter copy or printed E-aadhaar or PVC card and subsequently read the QR code to validate the digital signature and match the information in QR code with the printed information. 
  2. Reading QR code from the e-Aadhaar or m-Aadhaar application or PVC card or Digi locker app by using a mobile app or computer application. Subsequently the digital signature present in the QR code is validated, the information in QR code is matched with the Aadhaar data.
  3. Borrower submits a downloaded Paperless Offline e-KYC file and the digital signature in the file is validated. 

Now the Amendment Regulations have inserted another mode that is, Aadhaar Verifiable Credential verification, which may be carried out with or without offline face verification. Further, the reference to XML file and m-Aadhaar has been removed. 

What is an Aadhaar Verifiable Credential (AVC)?

AVC is a digital document issued by the Unique Identification Authority of India (UIDAI) that encapsulates specific, minimal identity attributes of an Aadhaar holder (e.g., name, date of birth, photo, last four digits of the Aadhaar number). Given that the AVC is issued by the UIDAI, makes it tamper-proof and instantly verifiable for authenticity. 

The Amendment Regulations provides the following definition:

“Aadhaar Verifiable Credential” means a digitally signed document issued by the Authority to the Aadhaar number holder which may contain last 4 digits of Aadhaar number, demographic data, like, name, address, gender, date of birth, and photograph of Aadhaar number holder, and such other information as may be specified by the Authority, which may be shared by Aadhaar number holder in full or part with an OVSE in the manner specified by the Authority, for verifying the demographic information or photograph of the Aadhaar number holder;”

Unlike full Aadhaar authentication, which might reveal more information than necessary, the AVC allows for selective disclosure, containing last 4 digits of Aadhaar number, demographic data, like, name, address, gender, date of birth, and photograph of Aadhaar number holder, and such other information as may be specified by the UIDAI. 

The key features of the AVC are as follows:

  1. Nature of document: It is a digitally signed document, with a tamper-proof and verified nature.
  2. Issuer: The document is issued solely by the Authority, that is UIDAI.
  3. Selective Disclosure: The AVC contains selective demographic data, including the last four digits of the Aadhaar number and a photograph.
  4. Controlled Sharing: The AVC is shared by the Aadhaar number holder with an OVSE (Offline Verifying Seeking Entity), ensuring the holder maintains control over  its dissemination.
  5. Purpose: The sole purpose of sharing the VC is for verifying the demographic information or photograph of the holder, strictly limiting its use for KYC procedures.

Who are Offline Verification Seeking Entity (OVSE)?

The Amendment Regulations, 2025, require Verifying Entities on being registered as OVSE to perform offline verification. Further, the regulated entities are required to make an application to UIDAI under Regulation 13A to perform Aadhaar Paperless Offline e-KYC or Aadhaar Verifiable Credential (AVC) verification via the Aadhaar Application.

The registration process requires the entity to apply to UIDAI on specified terms and conditions. UIDAI has the power to request further information, verify the details submitted, approve the application if satisfied, or reject it otherwise. If rejected, the grounds must be communicated within fifteen days. An aggrieved applicant has thirty days to apply for reconsideration. Crucially, a registered OVSE must perform offline verification only for lawful purposes, which includes carrying out KYC and Customer Due Diligence by a regulated entity.

The Amendment Regulations also clarify that Offline Verification may be carried out by the OVSE with or without offline face verification. Hence, there is an option that AVC verification can be clubbed with offline face verification.

Offline Face Verification Process

The Amendment Regulations formally define ‘Offline Face Verification’ as: 

‘”Offline Face Verification” means a mode of offline verification in which the live facial image of an Aadhaar number holder is captured and is verified against the photograph of the Aadhaar number holder stored within the Aadhaar application of the Aadhaar number holder for the correctness, or lack thereof;”

In this regard, “Aadhaar Application” means any official mobile application or web application developed and managed by UIDAI to provide an interface to Aadhaar number holders for services related to Aadhaar, including performing offline verification.

The process of Offline Face Verification establishes a secondary, crucial layer of verification that links the digital credential embedded in the AVC to the physical presence of the individual. The requirement is to ensure a live facial image of the aadhaar holder is captured, hence requiring a physical meeting and verifying it against the photograph from the aadhaar application. This is a significant step toward preventing the fraudulent use of a verified credential by someone other than the actual holder, ensuring greater integrity of the KYC process. We will have to wait and see in case the RBI comes up with necessary amendments in the KYC Directions to recognise the AVC and face verification done remotely as a face to face mode of KYC. 

Will there be an ease for Regulated Entities (RE)?

The existing process of KYC identification includes offline verification and authentication. For the implementation of the AVC and face verification facility, the RE is additionally required to be registered as an OVSP.  

Henceforth, there will be only 3 recognised ways of performing Aadhaar offline verification with or without offline face verification- 

  • QR Code verification 
  • Aadhaar Paperless Offline e-KYC  
  • AVC verification 

It seems that the Amendment Regulations require registration as an OVSE for the purpose of carrying out offline verification in case of AVC or Aadhaar Paperless Offline e-KYC Verification through the Aadhaar Application. The other modes of carrying out the verification (QR code verification, e-Aadhaar verification/Offline Paperless e-KYC verification) do not require any such registration. However, these modes require the RE to validate the digital signature of the Authority embedded in these documents. RE will, therefore, now have to decide which of these options is operationally more convenient for them.

Further, it seems that offline verification along with offline face verification would be regarded as a complete face-to-face KYC for the purpose of the onboarding of customers by regulated entities. 

Read More:

  1. Online Authentication of Aadhaar: Exclusive Club, Members Only!
  2. Setu-ing the Standard: NPCI’s New Path to Aadhaar e-KYC
  3. Resources on KYC


Every Business is a Data Business: Applicability of DPDP Act to Non-Financial Entities

/0 Comments/in , , , , /by

-Archisman Bhattacharjee | finserv@vinodkothari.com

Introduction

The Digital Personal Data Protection Act, 2023 (“DPDPA”), along with the Digital Personal Data Protection Rules, 2025 (“DPDP Rules’, “Rules”), establishes India’s first comprehensive and rights-based data protection regime. The Act’s applicability extends far beyond financial institutions; it encompasses any entity, large or small, digital or traditional, that processes digital personal data. Although public discourse frequently associates data protection obligations with banks, fintech companies, and large technology entities, the DPDPA’s scope is intentionally crafted to be broad and sector-agnostic. As a result, non-financial entities operating in fields such as FMCG, real estate, healthcare, hospitality, education, retail, and even small kirana shops using basic digital systems are brought squarely within its regulatory ambit.

This wide applicability stems from the Act’s fundamental design. It regulates processing, not industry classification. As long as an entity processes any digital personal data, whether it is a customer’s name and phone number, an employee’s email address, a patient’s medical record, or a tenant’s identity document, the DPDPA applies, unless a statutory exemption is granted.

This article examines the applicability of the DPDPA to non-financial entities, analyses the lawful bases for processing personal data, evaluates sector-specific implications, discusses whether corporate data is included within the scope of “personal data”, and explores the operational and regulatory obligations, including security safeguards, deletion timelines, and Data Principal rights. A supporting analysis of Section 17 of the DPDPA which empowers the Central Government to exempt certain entities is also provided, along with the practical question of whether small businesses such as kirana stores may eventually be exempted.

Statutory Foundation for Applicability to Non-Financial Entities

The applicability of the DPDPA flows from Section 3, which states that the Act applies to the processing of digital personal data (including personal data which is collected physically and digitised later) within the territory of India and to processing outside India if the processing is connected with any activity of offering goods or services to data principals within the territory of India. There is no carve-out or exception based on the nature of the business, regulatory environment, or industry classification of the entity. Consequently, companies operating in sectors such as fast-moving consumer goods (FMCG), real estate, hospitality, e-commerce, education, healthcare, and professional services must comply with the Act if they process digital personal data.

The definition of “personal data” under Section 2(t) is intentionally broad, referring to any data about an identified or identifiable individual. This broad definitional standard ensures that even the most basic identifiers such as, names, phone numbers, email addresses, login credentials, and customer records fall within the purview of the Act. As a result, non-financial entities that process personal information of customers, employees, patients, visitors, students, tenants, or vendors automatically become “data fiduciaries” under Section 2(i) and must meet all obligations imposed by the Act.

The core philosophy underlying the DPDPA is processing-centric regulation. The Act deliberately avoids distinguishing entities based on their business sector, risk level, or regulatory regime. Instead, it focuses on the fundamental principle that any organisation handling personal data plays a significant role in the digital ecosystem. Non-financial entities have dramatically increased collection and utilisation of personal data for purposes such as digital marketing, analytics, supply-chain management, customer engagement, employee administration, and third-party platform integrations. This reality makes them equally capable of causing privacy harms or security breaches as financial institutions, and hence equally subject to regulation.

Moreover, non-financial sectors operate extensive digital infrastructure, such as e-commerce platforms, CRMs, ERPs, AI-based analytics systems, CCTV surveillance networks, and biometric verification systems, that rely heavily on personal data. These systems are vulnerable to cyberattacks, unauthorised access, data misuse, profiling, and identity theft. By bringing them fully within the regulatory framework, the DPDPA ensures a uniform accountability standard across the Indian digital economy.

Impact on Small Entities and the Prospect of Exemptions

Small business owners including kirana shops, local merchants, fitness coaches, small doctor’s clinics, tuition centres, neighbourhood restaurants and small real-estate brokers frequently engage in personal data processing such as storing customer phone numbers for order delivery, maintaining digital records for loyalty schemes, providing receipts digitally etc. The Act, as it stands, does not grant automatic exemptions for such entities. They are expected to issue notices, collect valid consent where applicable, respect withdrawal, ensure reasonable security safeguards, and delete data once the purpose is achieved.

This creates a compliance burden that many micro-enterprises lack the resources to fulfil. The proportionality concerns are evident: penalties under the Act may reach hundreds of crores, even though government statements indicate that penalties will be imposed only where there is significant negligence or wilful misconduct. 

The presence of Section 17(3), however, signals clear legislative recognition that small entities may require differentiated treatment. It remains reasonably likely that the government may, in future, exempt certain classes of micro-entities processing minimal personal data from certain provisions of the Act as provided under Section 17(3) and declare them as “low-risk data fiduciaries” with reduced compliance requirements.

Such exemptions would be consistent with global practice: for instance, GDPR permits reduced compliance obligations for small data volumes and uses a risk-based approach. Until notifications are issued, however, all entities including small merchants who are processing digital personal data,  remain subject to the Act.

Modes of Data Processing: Consent and Legitimate Uses

Under the DPDPA, the only lawful basis for processing personal data without consent is the limited set of “legitimate uses” specified under Section 7. Unlike earlier drafts of the Bill or international frameworks like the GDPR, “contractual necessity” or “contractual obligation” is not included as a legitimate use under the enacted DPDPA. This is a deliberate departure from global practice and means that entities cannot rely merely on contractual engagement to justify processing of personal data without consent.

Consent therefore becomes the primary lawful basis for most private-sector organisations, especially in non-financial sectors. Consent must meet the requirements of Section 6 and must be preceded by a detailed notice under Section 5. Withdrawal of consent must be as easy as its grant, placing significant obligations on data fiduciaries.

Legitimate uses under Section 7 remain narrow and apply primarily to scenarios such as compliance with law or judicial orders, medical emergencies, safeguarding individuals during disasters, and other notified public-interest functions. Most routine commercial operations in FMCG, real estate, healthcare, retail, and education do not fall within legitimate use and therefore require consent-based processing.

Applicability on Non-Financial Sector entities

Applicability in the FMCG Sector

FMCG companies, both digital-first and traditional, routinely collect and process large volumes of personal data, often through online portals, mobile applications, loyalty cards, e-commerce platforms, and promotional events. Customer names, phone numbers, addresses, behavioural data, purchase histories, and feedback form the core of their data-driven marketing strategy. Because “contractual necessity” is not a legitimate use under the DPDPA, almost all customer-facing processing requires consent, particularly marketing, profiling, analytics, and preference tracking

Additionally, FMCG entities store substantial employee personal data, which may be processed under legitimate uses for employment However, indefinite retention of customer data after fulfilment of the purpose is expressly prohibited under Section 9, mandating regular deletion or anonymisation.

FMCG entities must ensure:

  1. Clear and accessible privacy notices at all customer touchpoints
  2. Consent for marketing communications and behavioural profiling
  3. Data minimisation—avoiding excessive or persistent tracking
  4. Right to withdrawal and grievance redressal mechanisms
  5. Deploy consent banners for digital marketing
  6. Maintain opt-out mechanisms
  7. Train sales agents on data minimisation
  8. Delete customer data after loyalty programme completion

Applicability in the Real Estate Sector

The real estate sector handles sensitive personal data of prospective buyers, tenants, investors, and visitors, including identification documents, financial details, contact numbers, and biometric or CCTV data for access control in residential and commercial complexes. Most of this data is collected for contractual and compliance purposes under RERA, municipal laws, or verification procedures, placing it within the scope of legitimate uses. Yet, marketing of new projects, cold calling, and database sharing with brokers or partners require explicit consent.

A major compliance challenge in this sector is data retention, since developers often maintain personal records of customers long after project completion or sale. Section 9 makes it clear that data fiduciaries cannot retain personal data beyond the period necessary to satisfy the purpose for which it was collected, unless mandated by law. Real estate entities must therefore implement strict retention schedules and erasure policies.

Given that contractual obligation is not a legitimate use, real estate entities must:

  1. Obtain explicit consent for collection of identity documents and contact details
  2. Provide detailed notices explaining the purpose of collection of each category of data
  3. Securely store documentation, especially digital scans of IDs
  4. Establish retention and deletion policies for old applications, unconverted leads, or completed transactions
  5. Obtain consent before collecting identity proofs
  6. Encrypt storage of buyer documentation
  7. Delete lead data after reasonable time if unconverted
  8. Update customer agreements with DPDPA disclosures
  9. Ensure breach notifications and incident reporting mechanisms

Limited circumstances, such as government-required land/property registration processes, may fall under legitimate use.

Applicability in the Medical and Healthcare Sector

Healthcare providers including hospitals, clinics, diagnostic centres, telemedicine platforms, and wellness service providers process exceptionally sensitive categories of personal data, such as health records, medical histories, prescriptions, laboratory results, insurance information, and emergency contact details. While the DPDPA does not create a separate class of sensitive personal data (unlike GDPR’s Article 9), it indirectly imposes a heightened duty of care through Section 8, which mandates reasonable security safeguards for all personal data.

Most healthcare processing is covered under legitimate uses, particularly when it is necessary to provide medical treatment, respond to emergencies, or ensure patient safety. However, collecting personal data for promotional communication, wellness packages, and non-essential data analytics require explicit consent. Healthcare entities must also be mindful of strict deletion timelines under Section 9, ensuring that data is retained only for statutory medical record retention periods and not beyond.

Medical entities must:

  1. Implement the highest level of security safeguards mandated under the Rules
  2. Minimise collection of data not directly required for treatment
  3. Provide deletion rights once data retention laws (such as clinical establishment rules) permit deletion
  4. Ensure breach notifications and incident reporting mechanisms

Applicability to Other Non-Financial Sectors

A wide range of other sectors also fall fully under the Act’s scope. The hospitality industry collects personal data for guest registration, reservations, and government-mandated identity verification, and must ensure consent for digital marketing, loyalty schemes, or data sharing with travel partners. The e-commerce sector relies heavily on personal data for order fulfilment, logistics, and grievance redressal, but requires explicit consent for recommendation engines and personalised advertising. Educational institutions process student data for academic administration and compliance, requiring parental consent for processing of minors’ data under the DPDP Rules. Manufacturing and industrial entities may process limited personal data, but employee data, vendor contact details, CCTV surveillance footage, and visitor logs still bring them under the scope of the Act.

Processing of employee and vendor related data

Processing of employee and vendor personal data requires a nuanced understanding under the DPDPA, because the lawful bases and practical compliance mechanisms differ significantly for each category. In the case of employees, section 7(i) of the Act expressly recognises employment-related purposes as a legitimate use, thereby permitting employers to process the personal data of their employees including candidates, full-time staff, contractors, interns and potential employees without requiring explicit consent, so long as such processing is necessary for recruitment, attendance management, payroll, statutory compliance, or performance evaluation. However, any processing that goes beyond what is necessary for employment for instance, wellness programmes, optional benefits, behavioural analytics, or promotional features must still be based on consent.

However, in contrast, vendor employee related personnel data (names, email IDs, mobile numbers of points of contact) does not fall within any legitimate use category, and contractual necessity is not recognised as a lawful ground under the DPDPA. This leads to a practical challenge: vendors must supply personal data of their representatives for coordination and performance of commercial contracts, yet obtaining individual notices and explicit consent from each representative is often impracticable, and mere inclusion of consent language in the vendor contract does not satisfy the statutory requirement of explicit, informed consent.

To mitigate this, businesses can adopt a multi-layer compliance model. First, during vendor onboarding, companies can require the vendor entity to nominate authorised representatives, and mandate that the vendor obtain explicit consent from those individuals before sharing their information. The obligation can be placed contractually on the vendor to:

  1. inform its representatives of the purposes for which their data will be processed,
  2. provide them with the Data Fiduciary’s privacy notice, and
  3. obtain explicit, affirmative consent before disclosing the data. 

While the DPDPA requires explicit consent from the Data Principal, it does not prohibit consent being obtained through an authorised intermediary, provided the intermediary can demonstrate that the individual has indeed given such consent. Second, companies may maintain a publicly accessible privacy notice (e.g., on their website) that applies to all external stakeholders including vendor personnel setting out the purposes of processing, retention periods, rights, and grievance redressal mechanisms. Though a notice must still be “made available,” a standardised publicly available notice reduces the administrative burden of issuing individualised notices in every instance. Third, when communication is initiated with a vendor’s representative for the first time, companies should send a brief digital notice, via email or SMS, giving the individual access to the privacy notice and explaining that their data has been provided by their employer for coordination of contractual activities. This satisfies the obligation of informing the Data Principal even if consent was collected upstream by the vendor. Finally, systems must allow vendor personnel to request correction or deletion of their details, and a replacement representative can be nominated by the vendor entity, enabling ongoing compliance without business disruption.

Treatment of Corporate Data and Email IDs as “Personal Data”

The DPDPA’s definition of personal data applies strictly to natural persons, and therefore corporate data that does not identify an individual lies outside its scope. However, the boundary can be complex. Email addresses such as firstname.lastname@company.com or name@gmail.com clearly identify specific individuals and therefore may fall within the definition of personal data. Similarly, phone numbers, employee codes linked to individuals, or vendor representative names constitute personal data.

Conversely, generic email addresses such as info@company.com, support@business.com, or legal@gmail.com cannot be traced to a specific individual and therefore would not be considered personal data. This interpretation aligns closely with GDPR Recital 26, which clarifies that data relating to legal persons or generic organisational identifiers does not constitute personal data unless it directly identifies a natural person. Non-financial entities must thus carefully classify their corporate data based on identifiability to avoid over- or under-compliance.

Security Obligations, Data Principal Rights and Deletion Requirements

All non-financial entities qualifying as data fiduciaries must comply with Section 8’s mandate to implement reasonable security safeguards, including organisational policies, encryption standards, access controls, periodic audits, vulnerability assessments, and incident response mechanisms. Data breaches must be reported both to the Data Protection Board and to affected data principals in accordance with the DPDP Rules, 2025. Larger non-financial entities may be designated as Significant Data Fiduciaries under Section 10, requiring them to appoint Data Protection Officers, conduct Data Protection Impact Assessments, and undergo independent data audits.

Data principals are granted a suite of rights under Sections 11 to 15, including the right to access information about processing, seek correction or erasure of personal data, nominate a representative for emergency situations, and obtain a grievance resolution in a timely manner. These rights create substantial operational obligations for non-financial entities, which must set up dedicated channels and workflows to address such requests.

Retention and deletion are governed explicitly by Section 9, which requires that personal data be erased once the purpose has been fulfilled and no legal obligation justifies continued retention. This provision significantly impacts sectors that historically maintained extensive archives of customer and employee data with no defined deletion timeline. The DPDP Rules, 2025, require periodic data retention assessments and impose specific timelines for erasure following the withdrawal of consent or completion of purpose.

Conclusion

The DPDPA represents a transformative shift by imposing uniform obligations across all entities that process digital personal data, regardless of the industry in which they operate. Non-financial entities often overlooked in discussions of data protection engage in extensive personal data processing through their digital platforms, operational systems, and customer engagement mechanisms. As a result, they are equally bound by statutory requirements governing lawful processing, consent mechanisms, legitimate uses, security safeguards, erasure obligations, and individual rights. The DPDP Rules, 2025, further operationalise these requirements, placing significant compliance responsibilities on non-financial sectors that must now adopt structured governance frameworks, update internal policies, and strengthen technical safeguards.

As India moves closer to an integrated digital economy, the DPDPA’s application to non-financial sectors ensures that privacy protection becomes a universal standard rather than a sector-specific obligation, aligning the country’s data governance landscape more closely with global frameworks such as the GDPR, while addressing local needs through its own unique regulatory philosophy. 

As Justice D.Y. Chandrachud observed in the landmark judgment of K.S. Puttaswamy v. Union of India:

“In the digital economy, every entity that touches personal data becomes a gatekeeper of privacy.”

This statement has become a defining reality in today’s data-driven landscape.

Our other related resources:

Banking group NBFCs:  Need to map businesses to avoid overlaps with the parent banks

/0 Comments/in , , , , , /by

– Vinod Kothari | finserv@vinodkothari.com

The new dispensation implemented from 5th December 2025 implies that lending business, obviously carried in the parent bank, needs to be allocated between the bank and the group entities so as to avoid overlaps. The bank will have to take its business allocation plan, at a group level, to its board, by 31st March 2026.

The RBI’s present move has certain global precedents. Singapore passed an anti-commingling rule applicable to banking groups way back in 2004, but has subsequently relaxed the rule by a provision referred to as section 23G of the Banking Regulations. However, the approach is not uniformly shared across jurisdictions.

We are of the view that as the decision works both at the bank as well as the NBFC/HFC level, the same has to be taken to the boards of the respective NBFCs/HFCs too.

Businesses which currently overlap include the following:

  1. Loans against properties
  2. Housing finance
  3. Loans against shares
  4. Trade finance
  5. Personal loans
  6. Digital lending
  7. Small business loans
  8. Gold loans
  9. Loans against vehicles  – passenger and commercial, or loans against construction equipment

In our view, banks will have serious concerns in meeting their priority sector lending targets, unless they decide to keep priority sector lending business in the bank’s books. Priority sector lending is quite often much less profitable, and the NBFCs in the group are able to create such loans at much higher rates of return due to their delivery strengths or customer franchise. As to how the banks will be able to originate such loans departmentally, will remain a big question.

There are other implications of the above restrictions too:

  1. If a bank is engaged, for example, in MSME lending, but auto loans are done at the group entity, the bank cannot be a co-lender with its group entity, nor can it acquire auto loans originated by its group entity.
  2. Extending the same argument, if the banking group is carrying auto loan activity in its group NBFC, it cannot buy auto loans either by way of a direct assignment or co-lending, originated by other banks or other independent NBFCs. The reason for this is obvious – if the bank has decided to carry auto lending activity in its group entity, it should stay away from that exposure, even if originated by other entities.
  3. The decision to keep particular loan products with group entities – can it be stretched to the extent that bank will not have indirect exposure in such products, for example, by way of giving a loan to its group entity for on-lending for a product which the bank does not undertake departmentally? One of the reasons that may have prompted the Mohanty Group report in 2020 to segregate products between the bank and its group entities was contagion risk. If contagion is at the core of the present restriction, then that risk is still there even if the bank lends to a group entity for on-lending for a product. However, in our view, the present restriction is primarily aimed at avoiding regulatory arbitrages, and cannot be expected to require a completely independent financing of the loan products that a subsidiary finances, and not the bank.
  4. Therefore, in our view, a bank may not only on-lend to its group entities (of course, on the basis of an arm’s length lending approach), but it may also buy the asset-backed securities arising from such loan portfolios as sit with its group entities.

Factors to decide loan product allocation

In case of several non-lending products such as securities trading, demat services, etc., the approach may be easier. However, lending services constitute the bulk of any bank’s financial business, and group NBFCs and HFCs are also evidently engaged in lending. Hence, there may be a delicate decisioning by each of the boards on who does what. Note that this choice is not spasmodic – it is a strategic decision that will bind the entities for several years.

The factors based on which banks will have to decide on their business allocation may include:

  1. Delivery mechanisms – Mostly, branch and team strengths are sitting in group entities. Therefore, the loan products that entail last mile customer outreach, geographical access, etc are naturally housed in entities which possess those abilities.
  2. Technology strength: Some of the products are based on fintech or similar technology strength, which may be sitting with respective entities.
  3. Recovery mechanisms – Group entities are typically more nimble than banks. Hence, while banks may keep loans on their books, but they may engage group entities for recovery purposes.
  4. Priority sector requirements-:  This will be a very important factor in deciding business allocation. Banks are mandated to invest 40% of their ANBC in qualifying priority sector loans – not NBFCs. Hence, for such loans as qualify as priority sector, the option may be to house the portfolios with the bank, or to invest in pass through certificates.

Securitised notes: whether investment in group entities?

Talking about pass through certificates, there is a complicated question as to whether the investment limits imposed by the 5th Dec. 2025 amendment on aggregate investments in group entities will include investment in pass through certificates arising out of pools originated by group entities. In our view, the answer is in the negative, as the investment is not originator, but in the asset pools. However, if the bank makes investment in the equity tranche or credit enhancing unrated tranches, the view may be different.

Conclusion

Banks are heading shortly in the last quarter of a year which is laden with strong headwinds. In this scenario, facing business allocation decisions, rather than business expansion or risk management, may be more challenging than it may seem to the regulators.

Other resources:

Banks’ exposure to AIFs: Group-wide limits introduced

/0 Comments/in , /by

– Simrat Singh | Finserv@vinodkothari.com

The RBI has long been stitching up the seams where AIF structures threatened to pull at the fabric of Banking regulation. The latest amendment to the Reserve Bank of India (Commercial Banks – Undertaking of Financial Services) Directions, 2025 is another careful thread in that ongoing work. The provisions apply not only to banks directly but also to exposures routed through their group entities (meaning subsidiary, JV or associate of the bank). Banks (and their group entities) may still participate in AIFs but only within closely drawn boundaries. The message is unambiguous: the AIF route cannot be used to skirt evergreen exposures or manufacture regulatory arbitrage. 

Limits on investment in AIF schemes

For Category I and Category II AIFs, limits apply at both the individual bank level and at the group level.

  • At the bank level, no bank may contribute more than 10% of the corpus of any AIF scheme;
  • At the bank group level, investments are permitted within a corridor:
    • Less than 20% of the corpus of Cat I or Cat II AIFs may be invested without prior approval, provided the parent bank continues to meet minimum capital requirements and has reported net profit in each of the preceding two financial years. This means even the AMC along with the bank cannot hold more than 20%;
    • Between 20% and 30% of the corpus may be invested with prior RBI approval.

A systemic cap overlays this: contributions from all regulated entities  – banks, NBFCs, co-operative banks and AIFIs etc. – cannot collectively exceed 20% of any AIF corpus. Similarly investment in the unit capital of REITs and InvITs is capped at 10%, within the overall ceiling of 20% of net worth for equity, convertible instruments and AIF exposures. 

A question may arise on whether such limits, as applicable to investments in AIFs, would also be applicable to making investments in FMEs operating in IFSC? Practically, Indian banks are unlikely to invest in FMEs, because such investments would cause the FME to lose its tax benefits. For an FME to qualify as a “specified fund”, all its units must be held by non-residents, except those held by the sponsor. When this condition is met, the income of the fund is exempt under Section 10(4D) and the income received by non-resident investors is exempt under Section 10(23FBC) of the Income Tax Act. 

No circumvention of regulations through investments in AIFs 

Banks shall ensure that their exposure in an investee company through their investments in AIF schemes does not result in circumvention of any regulations applicable to banks. (see para 38D). This would mean that where a bank is restricted from having any exposure in an investee company (this may include restrictions on account of the end-use of funds, or restrictions in terms of limits to exposures etc), such exposures cannot be made indirectly through making investments in AIF schemes, which, in turn, leads to the bank’s exposures to such investee companies. 

Prohibition on Category III AIFs

The clearest prohibition concerns Category III AIFs. Banks are not permitted to invest in their corpus at all. If a subsidiary is a sponsor, it may hold only the minimum contribution required under SEBI’s regulations (which currently is lower of 5% of the corpus or ₹10 Crore as per proviso to Regulation 10(d) of the SEBI AIF Regulations, 2012). Highly traded, leveraged or long-short strategies are thus kept outside the perimeter of bank funding in a deliberate effort to insulate bank balance sheets from hedge-fund-type risk.

Globally, regulators have taken a different, more permissive route. In the United States, banks are not barred from investing in hedge-fund-type vehicles. Instead, the Volcker Rule restricts ownership to de-minimis levels, generally up to 3% of a fund and 3% of Tier 1 capital in aggregate.1

Under Basel’s CRE 60 framework, investments in funds are permitted, however, discipline lies in capital treatment:

  • If the bank can look-through to underlying exposures, risk weights are based on the underlying assets2;
  • Where transparency is not available, risk weights can rise to punitive levels, up to 1,250% –  making opaque fund exposures extremely capital-intensive.

Recently, IMF in its October 2025 Financial Stability Report has highlighted that banks’ exposures to non-banks, including private-credit and private-equity funds, have grown materially, raising concerns about concentration and potential spill-over risks.

India therefore stands apart. Where other jurisdictions rely on expensive capital and other constraints to manage hedge-fund-type exposures, the RBI has chosen to keep such structures outside the banking perimeter altogether. 

Provisioning and Capital Treatment

Capital consequences have also been tightened. Where a bank holds more than 5% of the corpus of an AIF that subsequently invests – other than in equity instruments3 – into a debtor company of the bank, a 100% provision must be created for the bank’s proportionate exposure (See our write-up on the same here). This directly addresses the risk that AIFs could become conduits for evergreening or indirect refinancing of stressed loans.

Overall Perspective

The Amendment Directions extend the guardrails on AIF participation to the bank group, as against the previous approach of regulating only the bank’s exposures. Guardrails are numerical and backed by provisioning and capital consequences. Any breach in the limits require reporting to RBI, with clear reasons and plan for corrective actions. For existing investments, banks are required to provide an action plan by 31st March, 2026 – ensuring the compliances within a maximum of 2 years, viz., 31st March 2028. 

RBI’s stance is more conservative than many international regimes, but the regulatory intent is unmistakable: prudential norms are not to be diluted simply because exposure is packaged through an AIF.

  1. See Section 619 of Dodd-Frank Wall Street Reform and Consumer Protection Act, 2010 ↩︎
  2.  CRE 60 offers three routes for capital treatment – look-through, mandate-based and fall-back – chosen according to how much visibility the bank has into the fund’s underlying assets. ↩︎
  3. Equity instruments means equity shares, compulsorily convertible preference shares (CCPS) and compulsorily convertible debentures (CCDs) ↩︎

See our other relevant resources:

  1. Bank group NBFCs fall in Upper Layer without RBI identification
  2. Group-level regulation: RBI brings major regulatory restrictions on banks and group entities
  3. RBI norms on intra-group exposures amended
  4. New NBFC Regulations: A ready reckoner guide