Jul 9, 2026

Code Breaches and Internal Controls: Beyond the Absence of UPSI

Share on

“Are your internal checks ready to withstand real-world regulatory probes?”

In the regulatory landscape for listed companies, the absence of undisclosed price-sensitive information (UPSI) does not guarantee that internal breaches will escape scrutiny. Even where no UPSI exists, a failure to comply with a company’s Code of Conduct, trading pre-clearance procedures, or internal escalation protocols can trigger inquiry from SEBI or stock exchanges. These inquiries are often prompted by observed market activity following a public disclosure, where anomalies in trading patterns may indicate lapses in governance or controls. The query itself typically focuses less on the disclosure and more on whether internal systems functioned effectively to prevent unauthorized trades or mitigate potential risks.

Internal breaches may include lapses such as unapproved trades, incomplete or delayed SDD entries, contra trades, pledge invocations, or other transactions conducted without proper oversight. Each such incident is evaluated not only on its technical compliance with the Code but also on whether the company had implemented a system capable of detecting, escalating, and remedying such breaches. The analysis often extends to how Designated Persons and their Immediate Relatives are mapped, the consistency and completeness of pre-clearance processes, and the contemporaneous record-keeping that supports decision-making and approvals. Companies that can demonstrate an active, functioning compliance framework, where violations are promptly investigated and proportionate corrective actions applied, typically present a stronger defense against regulatory scrutiny.

This article examines those nuanced scenarios where designated person trades, immediate relative transactions, trading-window compliance, SDD discipline, internal inquiry, consequence frameworks, or stock exchange queries may expose gaps.

For readers navigating these real-world challenges, clarifications or suggestions for future topics can be addressed to: litigation@indiacp.com | info@indiacp.com.

Can the Company Identify the Breach?

Under the SEBI (Prohibition of Insider Trading) Regulations, 2015, listed companies must implement a Code of Conduct to regulate, monitor, and report trading by designated persons and their immediate relatives. This framework is intertwined with broader obligations covering UPSI identification, SDD maintenance, disclosures, trading plans, pre-clearance approvals, contra trade restrictions, and reporting of code violations.[1]

Understanding what category the breach falls into is critical for assessing legal risk, designing the inquiry, and determining appropriate consequences.

Was the event insider trading? Or a trading-window violation? A pre-clearance lapse, a delayed disclosure, or an immediate-relative trade? Perhaps it involved a pledge, a contra transaction, an SDD entry issue, or a failure to escalate internally?

The classification directly informs the legal exposure, the internal review process, and the proportionality and design of corrective measures.

Companies should avoid mechanically labeling every incident as insider trading. At the same time, the absence of UPSI is not a reason to dismiss the issue. A recurring regulatory concern is not merely the trade itself, but how the company responded: Was the breach identified promptly? Was a thorough internal inquiry conducted? Was the Code applied consistently across similar cases? Was a defensible action-taken record preserved?

Without these steps, even non-UPSI events can escalate into broader governance and compliance challenges.

Pre-Clearance Is a Control Point, Not a Signature Line

Pre-clearance is often treated as a procedural approval. In substance, it is a live checkpoint. Before a trade is permitted, the company should be able to test whether the person is a designated person, whether the relevant immediate relatives are covered, whether the trading window is open, whether the person had access to UPSI, whether any event-sensitive information was in circulation, whether past trades create contra-trade risk and whether the proposed trade is consistent with the code.

This raises practical questions. How does the company decide who a designated person is? How often is that list refreshed? Are finance, strategy, legal, secretarial, investor relations, treasury, promoter-office and business teams mapped properly? Does the company test access to information, or only designation? When pre-clearance is sought, does the compliance officer have enough visibility into SDD, trading history and pending corporate events?

A pre-clearance form cannot answer these questions by itself. The form is only the visible end of the control system. If the underlying mapping is weak, approval may give false comfort.

Contra Trade and Relaxation: How Much Comfort Is Enough?

Contra-trade restrictions remain one of the more difficult areas in practice. The concern is not merely whether two transactions fall within a six-month period. The harder issue is whether the company understands why the second transaction occurred, whether it was voluntary or compelled, whether the person had access to UPSI, whether any relaxation was sought, and whether the reasons for relaxation are strong enough to survive later scrutiny.

SEBI’s FAQ guidance indicates that contra-trade restrictions are to be applied to each trade and that relaxation from strict application may be granted by the compliance officer for reasons recorded in writing, provided the relaxation does not violate the Regulations.[2] That phrase – “reasons recorded in writing” – should not be allowed to become a rubber stamp.

How deep should the company go before accepting a contra-trade explanation? What would be a defensible reason for relaxation? Would the answer change if the person is a CFO, a business head, a promoter-group employee or a junior executive with no relevant information access? What if the same factual pattern arises again? These are the questions each company should be able to answer through its own code, records and governance design.

Pledge, Invocation and Revocation: The Quiet Risk

Pledge-related events also require careful treatment. A pledge is not a conventional market buy or sell, but for PIT analysis, creation, revocation and invocation of a pledge are treated as trading.[3] This makes pledge monitoring relevant for disclosure, pre-clearance and contra-trade assessment.

At the same time, the company should not treat every pledge event as if it were a deliberate market transaction. Invocation may be broker-driven, lender-driven, margin-triggered or automatic. Revocation may occur without a conscious trading decision at the relevant moment. The real governance question is whether the company had a way to identify the event, understand the trigger, obtain supporting records, assess preventability and decide whether the breach was technical, negligent, repeated or deliberate.

An ill-managed pledge trail can become difficult to explain when it coincides with trading-window closure, a sensitive corporate event or an exchange query.

SDD and Control Systems: The Ticking Time-Bomb

The Structured Digital Database is often discovered as a problem only when a Stock Exchange or SEBI query arrives. That is too late. A delayed or incomplete SDD entry may appear clerical, but it may point to a deeper control issue: Who identified UPSI? When did the information become sensitive? Who had access? Was access captured in real time? Did trading-window closure follow the same assessment?

An ill-managed SDD, weak access mapping and casual trading approval process may remain hidden for months. Then one trade, one announcement, one complaint or one exchange email exposes the gap. The question for boards and audit committees is whether SDD is being maintained as a live control system or as a retrospective compliance artefact.

Internal Inquiry: Fairness Is in the Process

Once a breach or possible breach is identified, the company’s response should not be informal, selective or personality-driven. An internal inquiry does not require the company to conduct a courtroom trial. But it should be fair enough to be credible.

Fairness lies in the process: notice of the issue, opportunity to explain, collection of relevant trade and communication records, review of UPSI access, conflict check, escalation where required, and reasoned closure. The company should not brush a matter under the carpet. Equally, it should not impose a disproportionate consequence only to show seriousness.

This is especially important where the person involved is senior. Does the compliance officer have practical authority to examine the conduct of a CFO, MD, promoter-office employee or business head? What happens if the breach involves the compliance officer or a person to whom the compliance officer reports? Is there an escalation route to the Audit Committee, Board, Chairperson, Independent Director or external adviser? A policy that gives power without a conflict mechanism may look strong on paper but weak in practice.

The point is simple: when power to inquire is given, responsibility to inquire fairly and effectively follows.

Policies Must Be Implementable, Not Merely Impressive

A PIT code, penalty framework, conflict policy or inquiry SOP should not be drafted only for completeness. It should work on the ground. Can the compliance team actually verify past trades? Can it access SDD information? Can it identify immediate relatives? Can it obtain broker statements? Can it pause a decision where conflict exists? Can it consult external experts where the issue is legally or factually sensitive?

The need is for a guided process, not a one-off reaction. Regulators have their own procedures for inquiry and adjudication. Companies should not conduct internal compliance inquiries as if they are improvising every time. A compliance investigation SOP, conflict-of-interest protocol and consequence matrix can create structure without making the process rigid.

Poorly designed policies may also create risks outside securities law. Consequences involving monetary penalties, wage deductions, bonus impact, ESOP eligibility, suspension, termination or employment-record consequences should be tested against employment contracts, HR policies, standing orders, and applicable labour law. A securities compliance policy cannot assume that every internal penalty is automatically enforceable merely because it is written into a code.

Consequence Matrix: Baseline, Not Blind Formula

The phrase “penalty matrix” may suggest punishment. A better expression may be “consequence matrix”. Its purpose is not to replace the application of the mind. It is to make the decision effective, less time-consuming, non-arbitrary and recordable.

A good consequence matrix sets baselines, aggravating as well as mitigating factors. It distinguishes administrative lapses, trading-related breaches without UPSI, serious UPSI-linked misconduct, repeated conduct, concealment, non-cooperation and senior-management involvement. It allows exceptions. It recognises that different classes may be treated differently where role, designation, information access, function, trade value, intent, repeat conduct or cooperation differs.

But different treatment needs intelligible criteria. If two similar breaches lead to different outcomes, can the company explain why? Was one person a designated person by function? Did one person have access to the relevant information? Was one breach self-reported, while another was discovered only after an exchange query? Was one trade automatic while another was deliberate? Without recorded criteria, discretion can look like arbitrariness.

Consequence-setting should not become a memory exercise, a mood exercise or a trial by fire. It should be guided by policy, facts, proportionality and law.

The Wider Risk: Not Only the Trader

A code breach may begin with one employee or an immediate relative. It may not end there. If the company had no effective DP or IR mapping, no functioning pre-clearance process, no SDD discipline, no inquiry SOP, no reporting framework, no consequence matrix or no escalation for senior-person breaches, scrutiny may move from the trader to the company’s control environment.

The conduct of the compliance officer, key managerial personnel, managing director, board or committee may come into focus where the record suggests knowledge, neglect, inadequate systems, selective treatment or failure to report. The SEBI Act contains investigation powers, penalties for insider trading, penalties for failure to furnish information or maintain records, residuary penalty provisions, and provisions dealing with offences by companies and persons in charge in specified circumstances.[4] Liability is increasingly being extended to compliance officers and senior management for systemic failures, even where insider trading is not independently established.[5]

This means the company should not assume that “no UPSI” ends the matter. Sometimes, the more difficult issue is whether the company had a workable system at all.

 Conclusion: The Trade May Be Small. The Internal Control Question May Not Be.

For listed companies, trades by designated persons and immediate relatives should be seen as part of a larger compliance-control ecosystem. The trade is only one data point. Around it sit DP identification, information access, SDD entries, pre-clearance, trading-window closure, contra-trade review, pledge monitoring, internal inquiry, conflict management, employment-law sensitivity and consequence-setting.

The questions worth asking are not always simple. Who should inquire when the person involved is a senior? How should the company treat an automatic pledge invocation? When does a technical lapse become repeated indiscipline? How should different treatments be justified? Does the Audit Committee see only the result, or also the process? Are the Company’s policies practical and workable?

The absence of UPSI should refine the inquiry, not close it. A listed company does not need a harsh system. It needs a system that is workable, fair, legally grounded, and explainable when the next query arrives.


[1]

Id. regs. 2(1)(e), 2(1)(g), 2(1)(n), 3-5, 7-9A & sched. B; SEBI Circular No. SEBI/HO/ISD/ISD/CIR/P/2019/82, Standardizing Reporting of Violations Related to Code of Conduct under SEBI (Prohibition of Insider Trading) Regulations, 2015 (July 19, 2019), https://www.sebi.gov.in/legal/circulars/jul-2019/standardizing-reporting-of-violations-related-to-code-of-conduct-under-sebi-prohibition-of-insider-trading-regulations-2015_43618.html; SEBI Circular No. SEBI/HO/ISD/ISD/CIR/P/2020/135, Reporting to Stock Exchanges regarding Violations under SEBI (Prohibition of Insider Trading) Regulations, 2015 relating to the Code of Conduct (July 23, 2020), https://www.sebi.gov.in/legal/circulars/jul-2020/reporting-to-stock-exchanges-regarding-violations-under-securities-and-exchange-board-of-india-prohibition-of-insider-trading-regulations-2015-relating-to-the-code-of-conduct-coc-_47121.html.


[2]

SEBI, Comprehensive FAQs on SEBI (Prohibition of Insider Trading) Regulations, 2015, FAQs 36, 42-43, 46-47 (Dec. 31, 2024), https://www.sebi.gov.in/enforcement/clarifications-on-insider-trading/dec-2024/comprehensive-faqs-on-sebi-pit-regulations-2015_90403.html.


[3]

Id. FAQs 1, 13-15.


[4]

Securities and Exchange Board of India Act, 1992, §§ 11C, 15A, 15G, 15HB, 27, https://www.sebi.gov.in/acts/act15ac.pdf.

[5]

Securities and Exchange Board of India, Adjudication Order in the matter of insider trading activity by certain entities in the scrip of Shalimar Paints Limited (Jul. 25, 2024), https://www.sebi.gov.in/enforcement/orders/jul-2024/adjudication-order-in-the-matter-of-insider-trading-activity-by-certain-entities-in-the-scrip-of-shalimar-paints-limited-_85110.html

AUTHORED BY

Mr. Ravi Prakash

Associate Partner - Corporate Litigation & Representations

Advocate, Delhi High Court

ravi@indiacp.com

9818598604

Kriti Karn

Senior Associate

.

kriti@indiacp.com

+91 99594 90570

Request a Call
Scroll