Sebi sets rules for custodians offering services outside its oversight

Sebi has allowed custodians, excluding bank-backed ones, to offer financial services outside its purview through separate business units, with rules on disclosure, governance, and risk controls

The Securities and Exchange Board of India (Sebi) on Wednesday issued a framework allowing custodians — except those backed by banks — to undertake financial services that fall outside the market regulator’s purview.

 

Under the new norms, such activities must be carried out through a separate strategic business unit (SBU), distinct from services regulated by Sebi.

 

The regulator said custodians must maintain separate books of accounts for the SBU on an arm’s-length basis. The custodian’s net worth requirement must also be met after excluding the financials of the SBU.

 

The Custodians and DDPs Standards Setting Forum (CDSSF) will publish a list of financial services that custodians may undertake under the new framework. The forum will also finalise a classification of core and non-core activities in consultation with Sebi. Custodians will be permitted to outsource non-core activities.

 

 

To ensure investor protection, Sebi has mandated disclosures for such unregulated services.

 

“Such custodian shall obtain an acknowledgement from the client that no recourse is available to them with Sebi for grievances related to services obtained with respect to such unregulated activities of the custodian,” the regulator said in its circular.

 

The regulator has permitted sharing of manpower, infrastructure, and systems between regulated and unregulated activities, provided custodians put in place safeguards to address conflicts of interest. These include adequate internal controls, Chinese walls, and adherence to the “need-to-know” principle.

 

Separately, Sebi has streamlined compliance requirements by discontinuing certain reporting obligations that duplicate data already submitted to depositories.

 

On governance, custodians will be required to constitute board-level committees including audit, risk management, and nomination and remuneration committees. They must also implement comprehensive risk management frameworks covering operational, legal, and data security risks, along with systems for reporting suspicious transactions.

 

Most provisions will come into force from March 24, 2026. Some requirements — such as those related to wind-down frameworks and disaster recovery infrastructure — will be implemented in phases, with timelines extending up to 2029.