Follow Us:

A working merchant banker’s guide to every recurring, event-based and one-time obligation under SEBI’s rulebook — what the regulation actually says, what it means in practice, and exactly when it falls due.

If you run compliance for a merchant banker — or you are the merchant banker — you already know the headline rule: the SEBI (Merchant Bankers) Regulations, 1992. What trips people up is everything SEBI has layered on top of it since: a Master Circular that turns broad principles into hard filing dates, a separate insider-trading regime with its own database requirement, a cybersecurity framework with annual audits, a brand-new digital-accessibility mandate, and — as of this year — a fresh set of net-worth and business-structure rules. Miss any one of these and you are non-compliant, even if your Regulations-only checklist looks complete.

This article puts all of it in one place, in plain language, with the exact clause each rule comes from so you (or your counsel) can verify it, and the real due date attached to each. Think of it as the calendar I wish someone had handed me on day one.

 In this guide:

1. The basics — registration & fees

2. The Master Circular add-ons

3. Insider trading & the database SEBI actually checks

4. Cybersecurity — audits you cannot skip

5. Digital accessibility — the new mandate

6. The 2025 net-worth & SBU overhaul

7. Your one-page master calendar

8. The five-minute takeaway

1. The basics — registration & fees

Every merchant banker’s compliance clock starts with the SEBI (Merchant Bankers) Regulations, 1992 (Reg. 3–12, Schedule II).

In plain English: you apply for registration (Form A) through the SEBI Intermediary Portal, pay a registration fee of ₹20 lakh within 15 days of being told your certificate is granted, and thereafter keep it alive with a ₹9 lakh continuance fee every 3 years starting from year 6. Miss the continuance fee and SEBI can suspend your certificate — meaning you legally cannot function as a merchant banker until you pay up.

Two numbers to memorise: your net worth must never fall below ₹5 crore (Reg. 7, 9A(1)(d)), and any single underwriting book, across all your live agreements, cannot exceed 20 times your net worth (Reg. 22B(2)). Both are checked, not just declared — auditors and SEBI inspections look for them.

If you’re managing an issue, the clock on your paperwork starts one month before the issue opens — that’s when you must have filed the statement of inter-se responsibilities among joint lead managers (Reg. 20(1)). Underwriting has its own separate deadline: if a company calls on you to subscribe to devolved shares, you have exactly 45 days to honour it (Reg. 22B(3)).

2. The Master Circular add-ons

This is where most Regulations-only checklists fall short. The Master Circular dated 26 September 2023 (SEBI/HO/CFD/PoD-1/P/CIR/2023/157) doesn’t create new law so much as it converts the Regulations’ broad duties into specific, dated filings.

In plain English: twice a year, you send SEBI a report card on yourself. Once a month, you publish your complaint numbers on your own website. And at all times, your website needs to be carrying information SEBI expects investors to be able to find.

What you must do How often / due Exact source
Submit the half-yearly report — activity, underwriting, complaints, board-reviewed, CO-certified, PDF+Excel to mb@sebi.gov.in Within 3 months of half-year end → 30 Jun & 31 Dec MC Ch. II.7, Annex. III
Publish complaints data on your website, category-wise By the 7th of every month MC Ch. II.9.3, Annex. VI
Keep the Investor Charter (all 8 activity types) live on your site Standing MC Ch. II.9, Annex. V
Display each managed IPO’s track record on your website 3 financial years from listing MC Ch. II.8, Annex. IV
Register two role-based email IDs (complaints; regulatory) with SEBI On registration, update on any change MC Ch. I.4, Annex. I
Get SEBI’s prior approval before any change in control, via the SI Portal Before the change; approval valid 6 months MC Ch. I.5

A quiet but important line in the Master Circular: you are barred from outsourcing core business activities or the compliance function itself (MC Ch. III.13). You can use vendors for infrastructure, but the accountability — and the judgment calls — must stay in-house.

3. Insider trading & the database SEBI actually checks

As a merchant banker you constantly handle Unpublished Price-Sensitive Information (UPSI) — draft financials, deal terms, board decisions — before the market ever sees it. That makes you a “fiduciary/intermediary” under the SEBI (Prohibition of Insider Trading) Regulations, 2015 (PIT Reg. 3, 9, 9A), with obligations that are easy to state and, in practice, easy to under-invest in.

 In plain English: every time UPSI passes through your firm, someone has to log it — who shared it, who received it, when — in a database that cannot be edited after the fact. That’s it. That is the single requirement that gets merchant bankers penalised most often, not the trading itself.

Obligation Timeline Source
Log every UPSI share/receipt in a Structured Digital Database — with PAN of everyone involved, non-tamperable, never outsourced Entry within 2 days PIT Reg. 3(5)
Preserve the database 8 years minimum, longer if under investigation PIT Reg. 3(6)
Adopt a board-approved code of conduct (minimum standards of Schedule C) One-time, keep current PIT Reg. 9
Independent review of PIT controls At least once a year PIT Reg. 9A(3)

BofA Securities India reportedly settled a SEBI matter for ₹58.5 lakh in May 2026 — not for insider trading, but for failing to maintain a Structured Digital Database compliant with Regulation 3(5), based on the publicly reported settlement order.

What that case actually teaches: SEBI does not need to prove anyone traded on inside information to penalise you. The absence of a proper, tamper-proof log is enough on its own. If your “database” is an Excel sheet a junior analyst updates when they remember to, you are exposed in exactly the same way BofA was — regardless of whether any leak ever happened.

Three fixes worth making this quarter: move the log onto dedicated, non-editable software; capture PAN, not just names, for every person; and reconcile it every quarter against your board minutes and live deal list, so gaps surface before an inspector finds them.

4. Cybersecurity — audits you cannot skip

SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF) sorts every regulated entity into a size band — Qualified, Mid-size or Small — and a merchant banker doing issue management (IPOs, FPOs, buybacks, delisting, open offers) lands as a Mid-size RE unless it sits inside a larger conglomerate/SIFI group (CSCRF Table 9).

 In plain English: once a year, an outside CERT-In-empanelled expert has to try to break into your systems (VAPT) and separately audit your cyber controls. You need a committee that includes an outside cybersecurity expert, and if something does go wrong, the clock to report it is measured in hours, not days.

Obligation Timeline Source
Vulnerability Assessment & Penetration Testing (VAPT) by a CERT-In empanelled auditor Annually, starting Q1 of the FY CSCRF §4.3
Cyber audit (100% critical systems + 25% sample of others) Annually; report to SEBI within 1 month of completion CSCRF §4.4
Constitute an IT Committee with ≥1 external cyber expert Standing, meets at least annually CSCRF §3
Report cyber incidents through the SEBI portal Promptly — CERT-In norm: within 6 hours CSCRF, Respond

The practical trap here isn’t the audit itself — it’s the follow-through. Findings from both the VAPT and the cyber audit must be closed within 3 months and revalidated within 5 months. An audit report that sits in a drawer with unresolved findings is arguably worse than not having done the audit at all, because now there’s a paper trail proving you knew.

5. Digital accessibility — the new mandate

The newest addition to a merchant banker’s list: SEBI’s push to make every investor-facing website, app and portal accessible to persons with disabilities, under the Rights of Persons with Disabilities Act, 2016. It arrived across three circulars in mid-to-late 2025, and was then partly revised in December 2025 — which is exactly where a Regulations-only calendar goes stale fastest.

In plain English: list your digital platforms, get them checked for accessibility (WCAG “AA” level), fix what’s broken, and tell SEBI you’ve fixed it — then repeat that check every year. Merchant bankers report straight to SEBI, not through a stock exchange.

Milestone Original date Current date Source
Submit list of digital platforms 30 Sep 2025 Circ. 25 Sep 2025, Table C1
Appoint IAAP-certified auditor 14 Dec 2025 Replaced — see next row Superseded
Submit readiness/WCAG-AA status instead of appointing an auditor 31 Mar 2026 Clarification Circ. 8 Dec 2025
Initial accessibility audit report 30 Apr 2026 Circ. 25 Sep 2025, Table C3
Remediation & final report 31 Jul 2026 Circ. 25 Sep 2025, Table C4
Annual accessibility audit, every year after Within 30 days of each FY, from 30 Apr 2027 Circ. 25 Sep 2025

Two things practitioners get wrong here. First, the December 2025 clarification is genuinely a relief, not an added burden — SEBI dropped the December auditor-appointment deadline in favour of a simpler self-reported status by March 2026. If your checklist still shows “appoint auditor by 14 Dec 2025” as an open item, it’s simply out of date. Second, accessibility complaints now have their own category on SCORES — an investor can complain about your website being inaccessible exactly as they’d complain about a delayed refund, and you must remediate to close it out.

6. The 2025 net-worth & SBU overhaul

The most structurally significant change in years: the SEBI (Merchant Bankers) (Amendment) Regulations, 2025, notified 5 December 2025, rewrites net-worth and liquid-net-worth requirements and adds a brand-new Regulation 13A requiring merchant bankers to hive off certain activities into a Separate Business Unit (SBU). It also splits merchant bankers into Category I and Category II, each with its own net-worth bar.

In plain English: if you do things beyond core merchant banking under the same roof, SEBI now wants those activities ring-fenced in a separate unit. You’ll also need to decide which category you fall into, and meet a higher net-worth number in two stages. The industry asked for more time, and SEBI gave it — via a circular dated 11 June 2026.

Requirement Original date Extended to Source
Move non-permitted activities into an SBU 3 Jul 2026 31 Dec 2026 Ext. Circ. (a)
Comply with Clause 11.2.10 of the MB Circular 3 Jul 2026 31 Dec 2026 Ext. Circ. (b)
New net-worth requirement — Phase I 2 Jan 2027 31 Mar 2027 Ext. Circ. (c)
New net-worth requirement — Phase II 2 Jan 2028 31 Mar 2028 Ext. Circ. (d)
New liquid-net-worth requirement — Phase I 2 Jan 2027 31 Mar 2027 Ext. Circ. (e)
New liquid-net-worth requirement — Phase II 2 Jan 2028 31 Mar 2028 Ext. Circ. (f)
Tell SEBI whether you’re Category I or II 2 Jan 2027 31 Mar 2027 Ext. Circ. (g)

The extension buys time, but it doesn’t change the substance — everything else in the original 2 January 2026 circular still applies on its original dates. If you haven’t already, this is the moment to model both net-worth phases against your balance sheet and decide, deliberately, which category you want to be — it isn’t just a label, it sets the bar you have to clear.

7. Your one-page master calendar

Pulling every regime together, here’s the cadence a merchant banker’s compliance calendar should run on:

Frequency What’s due Regime
Monthly Complaints data on website, by the 7th Master Circular
Half-yearly Report to SEBI — 30 Jun & 31 Dec Master Circular
Annual PIT internal review; VAPT; cyber audit; accessibility audit (from Apr 2027) PIT · CSCRF · Accessibility
Every 3 years ₹9 lakh continuance fee (from year 6) MB Regulations
Continuous SDD entries within 2 days; net worth ≥ ₹5 crore; investor complaints resolved within 21 days PIT · MB Regulations
One-time, 2026–28 SBU transfer (Dec 2026); net-worth & category filings (Mar 2027 / Mar 2028) MB Amendment Regs.

 8. The five-minute takeaway

a. The Regulations set the principles; the Master Circular sets the actual dates — you need both.

b. The single item that gets merchant bankers penalised most often isn’t a missed filing — it’s an unmaintained Structured Digital Database under the insider-trading rules.

c. Cybersecurity is no longer a policy on paper — it’s an annual audit with an outside expert and an hours-long incident-reporting clock.

d. Digital accessibility is real and current — check whether your December 2025 obligations were correctly updated to the March 2026 relief, and get ready for 31 July 2026.

e. 2026–2028 brings a genuine restructuring question — Separate Business Units and a net-worth step-up — decide your category early; the extension gives you months, not years.

******

About the Author: CS Jigar Bhanushali is Vice President – Equity Capital Markets at Cumulative Capital Private Limited, a SEBI-registered Category I Merchant Banker and Book Running Lead Manager based in Mumbai.

Disclaimer: This article is written for general awareness among merchant bankers and compliance professionals, drawing on the SEBI (Merchant Bankers) Regulations, 1992 (as amended) and the MB (Amendment) Regulations, 2025; the SEBI Master Circular dated 26 September 2023; the SEBI (Prohibition of Insider Trading) Regulations, 2015; the SEBI Cybersecurity and Cyber Resilience Framework; the SEBI Digital Accessibility circulars dated 31 July 2025, 29 August 2025, 25 September 2025 and the Clarification Circular dated 8 December 2025; and the Extension of Timelines Circular dated 11 June 2026. The BofA Securities India reference is drawn from the publicly reported SEBI settlement order of May 2026. This article is for general awareness only, is not legal advice, and readers should verify current requirements against the original SEBI circulars and their own registration category before acting.

Author Bio

Jigar Bhanushali is Vice President – Equity Capital Markets at Cumulative Capital Private Limited (CCPL), a SEBI-registered Category I Merchant Banker and Book Running Lead Manager based in Mumbai. He is a qualified Company Secretary (ACS) from ICSI with close to 5 years of experience in Equity Ca View Full Profile

Join Taxguru’s Network for Latest updates on Income Tax, GST, Company Law, Corporate Laws and other related subjects.

Leave a Comment

Your email address will not be published. Required fields are marked *

Search Post by Date
July 2026
M T W T F S S
 12345
6789101112
13141516171819
20212223242526
2728293031