SEBI Releases Comprehensive Guidelines for Custodians: Key Highlights & Compliance Requirements

SEBI has issued a detailed circular on March 4, 2026, outlining new governance, operational, and risk management requirements for Custodians. These updates follow the amendments made to the SEBI (Custodian) Regulations, 1996 notified on September 18, 2025. The updated framework aims to strengthen investor protection, streamline compliance, and modernize the functioning of Custodians.

1. Background

The new circular formalizes conditions related to:

• Net worth requirements
• Allowable financial services activities
• Governance structure
• Technology and infrastructure expectations
• Reporting obligations

These guidelines intend to enhance transparency, accountability, and efficiency in custodial operations across the securities market.

2. Segregation of Activities

2.1 Financial Services Activities

• The list of permitted financial services will be finalized by the Custodians and DDPs Standards Setting Forum (CDSSF) in consultation with SEBI.
• Custodians that are not banks or bank subsidiaries/associates/JVs must maintain separate Strategic Business Units (SBUs) for:
  • SEBI regulated financial services
  • Non SEBI financial services
• Mandatory safeguards include:
  • Separate accounts on an arm’s-length basis
  • Net worth calculations excluding non regulated SBU books
• Custodians offering unregulated financial services must:
  • Disclose this to clients
  • Obtain written acknowledgment that SEBI grievance redressal is unavailable for such services

2.2 Resource Sharing

Custodians may share infrastructure, manpower, and systems with other financial services subject to strong conflict of interest controls, including:

• Chinese walls
• “Need to know” principles
• Adherence to SEBI’s 2013 conflict of interest guidelines

3. Outsourcing of Activities

• Custodians may outsource non core activities only, as per SEBI’s outsourcing circular (Dec 15, 2011).
• CDSSF will develop and approve the definition of core vs non core activities for unified industry interpretation.

4. Vault Requirements

• If no physical securities are held, no vault is required.
• If physical securities are held, Custodians must maintain a vault or equivalent safe storage based on industry standards set by CDSSF and SEBI.
• Vault specifications and size must be reported quarterly.

5. Obligations & Responsibilities (Regulation 19B)

5.1 Governance Structure

• Custodians must establish committees such as:
  • Audit Committee
  • Nomination & Remuneration Committee
  • Risk Management Committee
• Bank-based Custodians may rely on existing bank-wide committees.
• Board/committee oversight must include review of incidents, vulnerabilities, and data breaches.
• CFO must provide periodic reports covering financial status, related party transactions, internal controls, and compliance.
• Observations and corrective actions must be documented.

5.2 Risk Management

• A well documented risk management policy is mandatory.
• Policy must address:
  • Root cause analysis
  • Early identification
  • Impact assessment
• Must include STR reporting to FIU and monitoring alerts from Depositories.
• Adequate human resources, automation tools, and a senior risk officer are required.
• Annual (or ad hoc) review of the risk policy is mandatory.

5.3 Technology & Infrastructure

• Non bank Custodians require an IT committee approved framework for ongoing tech upgrades.
• Systems must handle 1.2× the previous year’s average transaction load.

5.4 Orderly Wind Down Framework

Custodians must have a plan to ensure seamless service continuity in case of closure, ensuring:

• Smooth portability of clients
• Protection of funds and securities
• Adequate prior notice
• Minimal market disruption
  Wind downs due to regulatory or financial distress will be supervised by SEBI/MIIs.

5.5 Business Continuity & Disaster Recovery (BCP/DR)

• A comprehensive BCP is mandatory, reviewed annually.
• DR Site must:
  • Be in a different seismic zone or at least 250 km away from primary data center
  • Match PDC on hardware, software, and environment
• Annual DR drill required, with at least one full working day operations running from DRS.
• Annual audits must cover BCP/DR readiness and infrastructure robustness.

6. Reporting Requirements – Simplified

SEBI has discontinued multiple redundant reports because Custodians already submit similar data to NSDL/CDSL. Discontinued reports include:

• Fortnightly ISIN wise AUC of FPIs
• Category wise AUC for all clients
• Category wise and country wise AUC for FPIs
• Change of Custodian details report

7. Implementation Timelines

• Most provisions effective from March 24, 2026
• Wind down framework: by September 23, 2026
• DRS compliance (seismic separation): by March 23, 2029

SEBI’s updated custodian guidelines aim to modernize operations, reinforce governance, and enhance investor protection. Custodians must now upgrade their governance structures, risk frameworks, technology environments, and compliance processes to meet these strengthened expectations.