The Securities and Exchange Board of India (SEBI) issued a circular setting out operational conditions and modalities under the amended SEBI (Custodian) Regulations, 1996. The guidelines cover permitted financial services and activity segregation, outsourcing boundaries, vault requirements for physical securities, and a strengthened compliance and governance framework including risk management, technology capacity, business continuity and orderly wind-down planning. SEBI also removed several periodic reports submitted directly to SEBI to eliminate duplicate reporting already made to depositories. The circular provides that the list of financial services activities a custodian can undertake under its registration will be specified through the Custodians and DDPs Standards Setting Forum (CDSSF) in consultation with SEBI. Non-bank custodians (and those not part of a banking group) must run SEBI-regulated and non-SEBI financial services through separate Strategic Business Units, maintain separate arms-length accounts, and meet the custodian net worth requirement after excluding the SBU books; where unregulated financial services are offered, clients must be told the services are unregulated and must acknowledge that SEBI will not provide recourse for grievances related to those activities. While custodians may share manpower, infrastructure and systems across financial services, they must implement controls (including Chinese walls and need-to-know principles) and continue to follow SEBI’s conflict-of-interest guidance. For outsourcing, CDSSF will develop a SEBI-approved categorisation of core and non-core activities for a consistent application of SEBI’s prohibition on outsourcing core activities and compliance functions. Vault requirements are replaced so that no vault is required if no physical securities are held; if physical securities are held, they may be stored in a vault, safe or equivalent storage features harmonised through CDSSF with full client disclosure and informed consent, and vault specifications and size must be submitted in quarterly reports. The governance and operational framework specifies board-level committees (with certain flexibility for bank custodians relying on bank-wide structures), board oversight of incidents including data security breaches, CFO reporting to the audit committee on financial status and controls, documented risk management policies including suspicious transaction reporting to the Financial Intelligence Unit and monitoring depository alerts, a designated senior risk officer, minimum system capacity of 1.2 times the average transaction load of the preceding year, and detailed business continuity and disaster recovery expectations including annual DR drills and auditor checks. SEBI discontinued five SEBI-facing reports, including ISIN-wise and category-wise asset-under-custody reporting for foreign portfolio investors and other client categories, country-wise AUC reporting for FPIs, and monthly reporting of changes in custodian details. Most provisions take effect from March 24, 2026. Custodians must have an orderly wind-down framework in place by September 23, 2026, and must comply with the disaster recovery site location and separation requirements by March 23, 2029.

Original source View in tracker