Inside a SEBI Investigation: How Your SDD Records Become Evidence Against You

InsiderQ • Evidence Against You • 7 min read

Most listed companies treat the Structured Digital Database as a compliance filing. SEBI investigators treat it as a timeline and that difference changes everything.

When SEBI opens an inquiry into suspected insider trading at a listed company, one of the first things its officials request is an extract of the company's SDD. What they receive or fail to receive shapes the entire trajectory of the investigation.

Understanding what investigators look for, and why, is essential for any Compliance Officer who wants to understand the real stakes of SDD compliance.

What the SDD Is Supposed to Be

The requirement for a Structured Digital Database was introduced through the SEBI (Prohibition of Insider Trading) (Amendment) Regulations, 2018, and became mandatory from April 1, 2019. Regulation 3(5) of the PIT Regulations requires every listed company and intermediary to maintain a database that records:

• The nature of UPSI (Unpublished Price Sensitive Information) that was shared
• The names of persons who shared it and with whom it was shared
• The date and time of sharing
• The purpose for which it was shared (e.g., due diligence, advisory mandate, board meeting)
• The PAN number of every recipient

The intent is explicit: the SDD creates a traceable record of everyone who had access to UPSI, for what purpose, and when. It is the regulatory infrastructure that makes insider trading investigations forensically possible at scale.

How SEBI Actually Uses SDD Records in an Investigation

When SEBI's Integrated Surveillance Department (ISD) or the Division of Enforcement flags unusual trading patterns around a price-sensitive event, the investigation follows a structured sequence:

Step 1

Identify the trading anomaly

SEBI's surveillance systems analyse pre-announcement trading volumes, price movements, and options activity across all exchanges. When patterns deviate significantly say, unusual call buying three days before a positive earnings surprise it triggers further inquiry.

Step 2

Map the UPSI timeline

SEBI establishes exactly when the UPSI came into existence. For a quarterly result, that might be the date the CFO received the draft P&L. For an acquisition, it might be when the term sheet was signed. The company's SDD is supposed to reflect this.

Step 3

Cross-reference SDD with trading records

SEBI compares the list of persons who had access to the UPSI (from the SDD) against the list of persons who traded in the company's securities during the UPSI window. Overlap is not proof — but it creates a list of persons who require explanation.

Step 4

Identify persons who traded but are not in the SDD

This is where many investigations find their first significant finding. If a person traded in the UPSI window and their name does not appear in the SDD, investigators must determine why. The most benign explanation is informal channels not captured — that is a compliance failure. A less benign explanation: the SDD was not accurate, or records were edited after the fact.

Step 5

Look at entry timestamps relative to UPSI events

Under the 2025 PIT Amendment (effective June 9, 2025), UPSI must be entered within two calendar days of it coming into existence. Investigators will check whether entries were made in real time or entered in bulk after the fact for example, all entries for a quarter appearing on the same date, weeks after the events.

The Checkpoint SDD vs. the Forensic-Grade SDD

There is a meaningful difference between an SDD that satisfies the minimum compliance checkbox and one that would survive forensic scrutiny in an investigation.

A checkpoint SDD typically:

• Exists as an Excel spreadsheet or a basic database maintained by the Company Secretary
• Is updated periodically, perhaps monthly or quarterly, rather than within 48 hours of each UPSI event
• Records who formally received board papers, but not informal discussions, calls with advisors, or WhatsApp communications
• Has no automatic timestamps (the "date entered" field is whatever the person typed)
• Is stored in a shared folder with no access log or version history
• Does not capture purpose of sharing or PAN numbers consistently

A forensic-grade SDD:

• Is maintained in a system that creates immutable, server-side timestamps at the moment of entry timestamps that cannot be changed by the person making the entry
• Has an audit log showing who entered what, when, and whether any entry was ever edited or deleted
• Captures UPSI events within the 2-calendar-day window required from June 9, 2025
• Records recipients comprehensively including advisors, consultants, bankers, and legal counsel who received UPSI under confidentiality agreements
• Links UPSI events to trading window closure decisions, so there is a documented trail from "UPSI identified" → "trading window closed" → "UPSI made public" → "trading window reopened"
• Is stored with backups and retention infrastructure that supports the 8-year retention mandate under the 2025 amendments

When investigators receive a checkpoint SDD, they have an additional finding before they even get to the trading data: the company did not maintain the records it was required to maintain.

What Investigators Look For as Red Flags

Based on SEBI's enforcement actions and published orders, the following patterns in SDD records tend to attract further scrutiny:

Bulk retroactive entries

If multiple UPSI events are entered on the same date, investigators will ask why. A company that generates UPSI continuously through board meetings, management discussions, fundraising should have entries distributed across time, not clustered.

Missing PAN numbers

The PIT Regulations require PAN numbers for all recipients. Missing or placeholder PANs suggest the company did not properly collect this information or that the database was not being maintained rigorously.

SDD entries that don't align with trading window records

If the SDD shows UPSI first entered on date X, but the trading window was closed from date X-5, investigators will ask what triggered the earlier closure was there UPSI not captured in the SDD?

Short UPSI windows

If the SDD consistently shows UPSI entering and exiting very quickly, investigators will assess whether the UPSI classification was accurate or whether events were being classified to minimise the compliance burden.

SDD entries added after an enforcement notice was received

This is the most serious red flag. It can convert what might have been a civil penalty into an allegation of obstruction or falsification of records.

The Personal Liability That Comes With It

The SDD is not a corporate record that sits anonymously in a compliance folder. It is a record that the Compliance Officer is personally responsible for maintaining correctly.

Regulation 3(5) of the PIT Regulations places the obligation on the listed entity, but SEBI's enforcement practice confirmed by the Edelweiss Financial Services case where the CO was personally penalised makes clear that the CO is the accountable individual.

₹25 Cr

or 3× profits whichever is higher

Penalty under Section 15G of the SEBI Act, 1992 for insider trading-related violations.

₹1 Lakh/day

up to ₹1 crore total

Specific penalty under Section 15A(b) for record-keeping failures separate from and in addition to any underlying compliance penalty.

The 8-Year Retention Requirement: A New Operational Challenge

The 2025 PIT Amendment introduced an 8-year retention mandate for SDD records. Eight years of SDD records means:

• Any company listed since April 2019 must retain records across multiple technology systems, office moves, key personnel changes, and data migrations
• If your SDD is in Excel, where will that file be in 2031? Who will have it? Will it be readable? Will its integrity be verifiable?
• If records were not maintained from 2019 onward, the company now has a documented gap covering early years that SEBI could still investigate

The retention requirement is not just about data storage. It is about maintaining a chain of custody over records that could become evidence. A record that exists but cannot be authenticated as having been contemporaneously made is worth considerably less than one that can.

Why This Matters for SME-Listed Companies Specifically

Companies on the BSE SME and Startup Platform are often under the impression that their compliance exposure is lighter than that of main-board companies. For certain LODR Regulation 46 disclosures, that is partially true.

But the PIT Regulations have no SME carve-out. Every listed company regardless of size, trading volume, or market capitalisation is required to maintain a fully compliant SDD, enforce trading window restrictions, monitor designated persons, and preserve records for 8 years.

The enforcement risk for a smaller company is, if anything, higher: a large company typically has a full-time compliance team and dedicated systems. At a smaller company, the CO is often a part-time role, systems are basic, and processes put in place at IPO may not have evolved as SEBI's requirements have.

When SEBI requests your SDD, the regulator does not apply a size discount on what it expects to find.