Custodians Redefined: From Service Providers to Market Infrastructure

A major regulatory shift is underway—one that quietly but fundamentally changes how custodians operate in India.

With its March 2026 circular, Securities and Exchange Board of India (SEBI) has moved beyond incremental updates and introduced a holistic compliance architecture, aligning custodians with global standards of governance, risk, and resilience.

What the Circular Actually Does

The circular operationalizes earlier regulatory amendments and introduces clear, enforceable expectations across key areas:

1. Mandatory Segregation of Activities

Non-bank custodians must:

• Operate financial services via separate Strategic Business Units (SBUs)
• Maintain arms-length accounting
• Meet net worth requirements independently

Additionally, unregulated services now require:

• Explicit disclosure to clients
• Client acknowledgement limiting SEBI recourse

2. Governance Moves to the Boardroom

Custodians must establish:

• Audit Committee
• Risk Management Committee
• Nomination & Remuneration Committee

Board oversight now extends to:

• Cybersecurity incidents
• Data breaches
• Investor protection risks

CFO reporting obligations have also been expanded significantly.

3. Risk Management: From Policy to Practice

The focus shifts to active risk frameworks, including:

• Identification of operational, legal, and data risks
• Integration with Suspicious Transaction Reporting (STR) systems
• Appointment of a dedicated senior risk officer

4. Technology & Capacity Requirements

Custodians must:

• Handle 1.2x peak transaction volumes
• Continuously upgrade infrastructure
• Implement automated compliance and monitoring systems

5. Business Continuity & Disaster Recovery (BCP-DR)

Detailed requirements include:

• Geographical separation of DR sites
• Annual DR drills with full operational testing
• Auditor validation of preparedness

6. Orderly Wind-Down Framework

A significant addition:

• Mandatory plan for client portability
• Protection of client assets during exit
• Regulatory supervision in stress scenarios

7. Rationalization of Reporting

SEBI removes redundant AUC reporting requirements, reducing duplication—but not reducing accountability.

Why This Matters

This is not just a compliance update—it reflects a regulatory philosophy shift:

• From documentation → demonstrable controls
• From entity-level compliance → activity-level accountability
• From operational convenience → systemic resilience

Custodians are now being treated as systemically important financial intermediaries.

Practical Implications:

A. For CAs / Auditors:

• Greater emphasis on:
  • Segment reporting (SBUs)
  • Internal financial controls
  • BCP-DR testing evidence
• Audit scope expands into risk systems and capacity validation

B. For Compliance Professionals:

• Redesign:
  • Client disclosures
  • Conflict management frameworks
• Strengthen:
  • Surveillance systems
  • STR reporting mechanisms

C. For Legal Advisors:

• Draft and review:
  • Limitation of liability clauses
  • Governance structures
• Evaluate exposure in unregulated service offerings

This circular is less about adding compliance—and more about testing institutional strength.

The real differentiator going forward will not be who complies, but who can sustain operations under stress, scale, and scrutiny.