IndiaSEBI Compliance

How to Automate Client Research Notes Under SEBI Regulation 25

Regulation 25 of the SEBI (Research Analysts) Regulations, 2014 is one of the most commonly cited compliance gaps in SEBI inspections of individual Research Analysts. The rule is straightforward: keep tamper-proof records of every research report and client communication for 5 years. The gap is that most RAs use tools, WhatsApp, Excel, email, that are not tamper-proof by design. This guide covers what Regulation 25 actually requires and how to automate compliance.

May 25, 2026 ยท 9 min read ยท By Aktai Team

Note: This is an informational guide, not legal or compliance advice. Consult a SEBI-qualified compliance officer or advocate for advice specific to your practice.

What Regulation 25 actually requires

Regulation 25 of the SEBI (Research Analysts) Regulations, 2014 states that every Research Analyst must maintain the following records for a minimum of five years:

  • All research reports issued to clients, including draft versions.
  • All client communications related to research, including emails, messages, and notes.
  • Records of the basis for each recommendation: the data, analysis, and rationale used.
  • Conflict of interest disclosures made in connection with each report.

Critically, the regulation specifies that records be maintained in a manner that ensures they cannot be tampered with. This is not a vague aspiration. SEBI expects records that can demonstrate, if challenged, that the content has not been altered since the original communication date.

The practical implication: if a client disputes a recommendation you made 18 months ago, SEBI can request the original record. You need to produce a document with a verifiable original timestamp and provably unaltered content. "I have the WhatsApp message" is usually not sufficient.

Why common methods fall short

Most independent RAs use one or more of these approaches. All of them have meaningful compliance gaps.

Screenshots of WhatsApp chats

Not tamper-evident. Timestamps can be altered. Messages can be deleted before screenshots are taken. Phone replacement loses the history. No structured export for SEBI.

Excel or Google Sheets log

Editable after the fact. "Last Modified" timestamp shows when a cell was last touched, not when a note was originally written. Not compliant with Regulation 25's tamper-proof requirement.

Email archive (Gmail, Outlook)

Better than Excel for timestamps, but emails can be deleted. Attachments can be altered before sending. Emails from a personal account to clients mix personal and professional communications. Export is not structured for SEBI inspection.

PDF saved to a folder

PDFs can be regenerated with altered content. File system timestamps are trivially modified. No client linkage, no searchable audit trail. Does not demonstrate tamper-evidence to an inspector.

This is not about SEBI being unreasonable. The requirement that records be tamper-proof exists to protect clients. If an RA could quietly update a research note after a bad call, clients would have no recourse. The regulation locks the record at the moment of communication.

The technical standard: hash + timestamp + client ID

Tamper-evident record keeping is a solved problem in software. The standard approach uses three components:

SHA-256 hash

A cryptographic fingerprint of the note content, computed at the moment of send. If a single character of the note is changed after the fact, the hash changes. The mismatch is detectable by anyone with the original content and hash value.

Timestamp

Set server-side at the moment of send, not derived from the client device clock. A server timestamp that is logged to an immutable record cannot be retroactively altered without access to the database. The timestamp should record both UTC and IST to avoid ambiguity.

Client ID

Every record links to the specific client who received the communication. SEBI inspections often focus on a specific client complaint. Without client linkage in the audit trail, the RA must search manually through communications to reconstruct the history.

Together, these three fields create a record that is tamper-evident in the sense required by Regulation 25. SEBI inspectors can take the note text, run it through SHA-256, and verify the hash matches the stored value. If it does, the content is provably the same as when it was sent.

How Aktai for Research Analysts implements it

Aktai for Research Analysts automates the full Regulation 25 record-keeping workflow. Here is the step-by-step flow.

1

Note is drafted

The RA writes a research note or recommendation in the Aktai for Research Analysts interface.

2

Hash sealed on send

At the moment the RA clicks Send, the note content is run through SHA-256. The resulting hash is stored alongside the note text, timestamp, and client ID. Neither the RA nor Aktai can alter the note without breaking the hash.

3

Delivery to client

The note is delivered to the client via WhatsApp or Telegram using the official Business API. Delivery confirmation (sent/delivered/read status) is also logged.

4

Record stored for 5 years

The sealed record: note text, hash, timestamp (UTC + IST), client ID, delivery status, is stored in the Aktai system for the full 5-year retention period required by Regulation 25.

5

Export for SEBI inspection

When SEBI requests records, the RA generates a CSV export from the Aktai dashboard. The export includes the note text, hash value, timestamp, and client ID for every communication in the requested period, formatted for straightforward inspection review.

Sample CSV export row (SEBI inspection format):
record_id, client_id, sent_at_utc, sent_at_ist, content_hash_sha256, note_text, delivery_status
RA-2026-004821, client-0042, 2026-05-25T08:14:22Z, 2026-05-25T13:44:22+05:30, a3f7c1..., "HDFC Bank Q4 FY26: PAT โ‚น16,512 Cr, +12% YoY...", delivered

What SEBI inspectors look for in record-keeping

Based on publicly available SEBI inspection orders and adjudication proceedings against Research Analysts, the most common record-keeping findings are:

  • No records at all for the period under inspection. The RA cannot produce any documentation of communications with the complainant client.
  • Records that do not match the communication content alleged by the client. The RA has a record, but it shows a different recommendation than what the client claims was received.
  • Records older than 3 years that have been deleted or lost due to device replacement. The 5-year retention window extends well beyond typical phone upgrade cycles.
  • Research notes that are not linked to specific clients. The RA sent a group broadcast on WhatsApp but has no record of which clients received it.

Built for Regulation 25

Aktai for Research Analysts: tamper-evident logging for SEBI RAs

Every research note sent through Aktai is SHA-256 hashed at send time. Client ID, timestamp, delivery status, and hash are stored for 5 years. One-click CSV export for SEBI inspection. Designed specifically for independent SEBI-registered Research Analysts.

See Aktai for Research Analysts

FAQ

What does SEBI Regulation 25 require for Research Analysts?

SEBI (Research Analysts) Regulations, 2014, Regulation 25 requires every registered Research Analyst to maintain records of all research reports, client communications, investment recommendations, and related correspondence for a minimum of 5 years. The records must be maintained in a manner that ensures they cannot be tampered with after the fact. SEBI inspectors can request these records during an inspection, and failure to produce them is treated as a compliance violation, potentially resulting in a show-cause notice, fine, or suspension of the RA certificate.

How long must a SEBI Research Analyst keep research records?

The minimum retention period under Regulation 25 is 5 years from the date of the research report or client communication. This means a research note sent to a client today must be retrievable and verifiably unaltered until at least May 2031. The 5-year clock runs from the communication date, not from when the RA certificate was issued or renewed.

Is WhatsApp enough for SEBI Regulation 25 compliance?

No. WhatsApp messages can be deleted by either party, disappear if a phone is replaced, and do not provide a tamper-evident timestamp that SEBI can verify. Regulation 25 requires records maintained in a manner that prevents subsequent modification. A WhatsApp chat is editable, deletable, and carries no cryptographic proof of when a message was originally sent. Some RAs use WhatsApp Business with chat exports, but these are not tamper-evident and would not satisfy a rigorous SEBI inspection.

What is a tamper-evident audit trail for research records?

A tamper-evident audit trail is a record-keeping mechanism where each entry is cryptographically sealed at the moment of creation, making it verifiable that the record was not modified after the fact. The standard approach is SHA-256 hashing: the text of a research note is run through a hash function at the exact moment it is sent, and the hash value is stored alongside the note, timestamp, and client ID. If anyone edits the note later, the hash no longer matches the content, and the tampering is detectable. SEBI inspectors can verify the chain of records without needing to trust the RA's word that the records are intact.

Can SEBI inspect a Research Analyst's records?

Yes. SEBI has the authority under Regulation 27 of the SEBI (Research Analysts) Regulations, 2014 to inspect the books, records, and documents of any registered Research Analyst. Inspections can be routine (annual or biennial) or triggered by a complaint. SEBI inspectors typically request records for a specific client or time period. RAs must produce the requested records within the timeframe SEBI specifies, usually 7 to 21 days. Inability to produce records is itself a violation.

Related reads

For SEBI-registered Research Analysts

Run your research desk on Aktai.

Track filings across your client book, draft factual notes with AI, deliver them white-label over WhatsApp and email, and keep a 5-year audit trail. One tool.

โœฆ Filing to note in under 10 secondsโšก White-label WhatsApp delivery๐Ÿ”’ Regulation 25 audit trail
Get started โ†’See pricing โ†’

For SEBI-registered Research Analysts ยท Start in minutes

What AKTAI stands for

A

Always

K

Knowing

T

Trusted

A

Actionable

I

Instant

โš ๏ธ

Not financial advice. Aktai is software for SEBI-registered Research Analysts. It is not a financial adviser, broker, Investment Adviser, or Research Analyst, and is not registered with SEBI or any other financial regulator. It surfaces public filings and news and drafts factual notes for the registered analyst to review, edit, and sign. Aktai does not author research, make recommendations, or decide what any security is worth. The view, the recommendation, and the regulatory responsibility stay with the registered analyst who sends the note. Full disclaimer โ†’