Sebi’s dual structured digital database (SDD) rule requires India’s listed banks to maintain two distinct, tamper-proof digital logs of unpublished price-sensitive information (UPSI). One database must track the bank’s own UPSI, while the second must log confidential data held on behalf of its clients, such as companies it advises or lends to.

While the market regulator’s goal is to curb insider trading, the industry is warning of a disproportionate compliance burden that could put Indian banks at a disadvantage to their global peers through higher costs and technological burdens.

Legal conflict

But beyond the financial and technological hurdles lies a fundamental legal conflict. Vivekanandh, managing partner of legal firm SMV Chambers, said the mandate created friction with long-standing banking secrecy obligations.

Under laws such as the Banking Regulation Act, banks are legally bound to protect customer information, and disclose it only under specific compulsions such as a court order. This duty of confidentiality is at odds with Sebi’s requirement to log sensitive client data in a regulatory database. “Clients may resist or even legally challenge the notion that their sensitive financial data must be captured in a regulator-mandated log,” Vivekanandh argued.

A major grey area is the classification of information—distinguishing between general confidential data and specific UPSI. An overly cautious bank might over-report, logging excessive client data and heightening legal risks, while a narrow interpretation could lead to regulatory action from Sebi.

“This is not just a compliance headache but a legal conflict of first principles,” he added.

Fighting insider trading

Addressing the heads of listed banks on 3 September, Sebi chairman Tuhin Kanta Pandey said fighting insider trading was essential to preserving the “very integrity of the financial system”. He underscored the unique position of banks, which often have access to market-moving information about other listed companies. “This information, if leaked, even unintentionally, could move markets, impact shareholder wealth, and erode investor trust,” Pandey cautioned.

The SDD is Sebi’s primary tool in this effort. “When a regulatory authority comes knocking,” Pandey said, “your ability to instantly and comprehensively demonstrate who knew what, and when, will be your greatest defence”.

While the regulatory intent is clear, the operational reality for banks is one of significant technical challenges and soaring costs. Experts warned that the dual SDD requirement was far from a simple ‘plug-and-play’ software installation.

Costs of compliance

Sriram Kalyanaraman, a banking, financial services and insurance (BFSI) advisor for consulting firm Practus, estimated that even mid-size players could end up spending ₹35-60 lakh a year. This figure includes costs for top-tier SDD software at ₹3-8 lakh per database to start, ‘hacker-proof’ hardware at ₹7-12 lakh, and seamless integration with legacy systems, which costs up to ₹20 lakh. Annual software maintenance, cybersecurity audits, and compliance team salaries could easily add another ₹12 lakh or more each year, he said.

The technological burden is also significant, experts said. According to Nishant Shah, managing partner & CEO of technology firm Jonosfero, a subsidiary of Acies Group, maintaining two fully segregated and synchronised SDD instances would more than double costs. “The attendant infrastructural costs for banks would be relatively higher, given more stringent regulations apply because of their criticality in the market infrastructure,” he said.

Shah noted that while sophisticated applications with integrated information barriers exist, few are mature enough to handle the complex needs of large banking systems, risking a ‘square peg in a round hole’ situation.

“The reason there are so few other applications is because most solutions were initially designed simply to meet the needs of listed entities that are not as complex as those of listed BFSI businesses like banks & NBFCs”, he said. He added that to address this complexity, sophisticated offerings such as Affinis (SDD) have integrated information barriers so UPSI can be managed separately for the ‘home’ entity and ‘other’ entities within a single environment.

Sebi considers SDD compliance a non-delegable responsibility, which amplifies the personal risk for senior executives. The regulations also place a heavy burden of personal liability directly on bank leadership. “Directors and compliance officers now face heightened, direct liability for not maintaining accurate, timely, and tamper-proof SDDs,” said Alay Razvi, managing partner at Accord Juris.

He clarified that under Sebi’s stringent framework, unintentional leaks or even incomplete database entries could have severe consequences, including monetary penalties and prosecution, ‘regardless of intent’.

Only in India

This prescriptive approach is unique to India. Jurisdictions such as Hong Kong and Singapore, also known for strict market conduct rules, focus more on robust internal controls and information barriers than mandating dual, auditable databases.

“In execution, Indian banks are being asked to operate at a compliance standard that is more demanding than jurisdictions globally,” said Vivekanandh. This, he and other experts argued, creates an uneven playing field where Indian banks and foreign banks operating in India incur far higher compliance costs than their global peers.

While Sebi’s goal of strengthening market integrity is widely supported, the industry is grappling with the unprecedented operational, financial, and legal complexities of a reform that has no global parallel.