How to Automate Client Research Notes Under SEBI Regulation 25
Regulation 25 of the SEBI (Research Analysts) Regulations, 2014 is one of the most commonly cited compliance gaps in SEBI inspections of individual Research Analysts. The rule is straightforward: keep tamper-proof records of every research report and client communication for 5 years. The gap is that most RAs use tools, WhatsApp, Excel, email, that are not tamper-proof by design. This guide covers what Regulation 25 actually requires and how to automate compliance.
Note: This is an informational guide, not legal or compliance advice. Consult a SEBI-qualified compliance officer or advocate for advice specific to your practice.
What Regulation 25 actually requires
Regulation 25 of the SEBI (Research Analysts) Regulations, 2014 states that every Research Analyst must maintain the following records for a minimum of five years:
- All research reports issued to clients, including draft versions.
- All client communications related to research, including emails, messages, and notes.
- Records of the basis for each recommendation: the data, analysis, and rationale used.
- Conflict of interest disclosures made in connection with each report.
Critically, the regulation specifies that records be maintained in a manner that ensures they cannot be tampered with. This is not a vague aspiration. SEBI expects records that can demonstrate, if challenged, that the content has not been altered since the original communication date.
The practical implication: if a client disputes a recommendation you made 18 months ago, SEBI can request the original record. You need to produce a document with a verifiable original timestamp and provably unaltered content. "I have the WhatsApp message" is usually not sufficient.
Why common methods fall short
Most independent RAs use one or more of these approaches. All of them have meaningful compliance gaps.
This is not about SEBI being unreasonable. The requirement that records be tamper-proof exists to protect clients. If an RA could quietly update a research note after a bad call, clients would have no recourse. The regulation locks the record at the moment of communication.
The technical standard: hash + timestamp + client ID
Tamper-evident record keeping is a solved problem in software. The standard approach uses three components:
SHA-256 hash
A cryptographic fingerprint of the note content, computed at the moment of send. If a single character of the note is changed after the fact, the hash changes. The mismatch is detectable by anyone with the original content and hash value.
Timestamp
Set server-side at the moment of send, not derived from the client device clock. A server timestamp that is logged to an immutable record cannot be retroactively altered without access to the database. The timestamp should record both UTC and IST to avoid ambiguity.
Client ID
Every record links to the specific client who received the communication. SEBI inspections often focus on a specific client complaint. Without client linkage in the audit trail, the RA must search manually through communications to reconstruct the history.
Together, these three fields create a record that is tamper-evident in the sense required by Regulation 25. SEBI inspectors can take the note text, run it through SHA-256, and verify the hash matches the stored value. If it does, the content is provably the same as when it was sent.
How Aktai for Research Analysts implements it
Aktai for Research Analysts automates the full Regulation 25 record-keeping workflow. Here is the step-by-step flow.
Note is drafted
The RA writes a research note or recommendation in the Aktai for Research Analysts interface.
Hash sealed on send
At the moment the RA clicks Send, the note content is run through SHA-256. The resulting hash is stored alongside the note text, timestamp, and client ID. Neither the RA nor Aktai can alter the note without breaking the hash.
Delivery to client
The note is delivered to the client via WhatsApp or Telegram using the official Business API. Delivery confirmation (sent/delivered/read status) is also logged.
Record stored for 5 years
The sealed record: note text, hash, timestamp (UTC + IST), client ID, delivery status, is stored in the Aktai system for the full 5-year retention period required by Regulation 25.
Export for SEBI inspection
When SEBI requests records, the RA generates a CSV export from the Aktai dashboard. The export includes the note text, hash value, timestamp, and client ID for every communication in the requested period, formatted for straightforward inspection review.
Sample CSV export row (SEBI inspection format): record_id, client_id, sent_at_utc, sent_at_ist, content_hash_sha256, note_text, delivery_status RA-2026-004821, client-0042, 2026-05-25T08:14:22Z, 2026-05-25T13:44:22+05:30, a3f7c1..., "HDFC Bank Q4 FY26: PAT โน16,512 Cr, +12% YoY...", delivered
What SEBI inspectors look for in record-keeping
Based on publicly available SEBI inspection orders and adjudication proceedings against Research Analysts, the most common record-keeping findings are:
- No records at all for the period under inspection. The RA cannot produce any documentation of communications with the complainant client.
- Records that do not match the communication content alleged by the client. The RA has a record, but it shows a different recommendation than what the client claims was received.
- Records older than 3 years that have been deleted or lost due to device replacement. The 5-year retention window extends well beyond typical phone upgrade cycles.
- Research notes that are not linked to specific clients. The RA sent a group broadcast on WhatsApp but has no record of which clients received it.
Built for Regulation 25
Aktai for Research Analysts: tamper-evident logging for SEBI RAs
Every research note sent through Aktai is SHA-256 hashed at send time. Client ID, timestamp, delivery status, and hash are stored for 5 years. One-click CSV export for SEBI inspection. Designed specifically for independent SEBI-registered Research Analysts.
See Aktai for Research AnalystsFAQ
What does SEBI Regulation 25 require for Research Analysts?
SEBI (Research Analysts) Regulations, 2014, Regulation 25 requires every registered Research Analyst to maintain records of all research reports, client communications, investment recommendations, and related correspondence for a minimum of 5 years. The records must be maintained in a manner that ensures they cannot be tampered with after the fact. SEBI inspectors can request these records during an inspection, and failure to produce them is treated as a compliance violation, potentially resulting in a show-cause notice, fine, or suspension of the RA certificate.
How long must a SEBI Research Analyst keep research records?
The minimum retention period under Regulation 25 is 5 years from the date of the research report or client communication. This means a research note sent to a client today must be retrievable and verifiably unaltered until at least May 2031. The 5-year clock runs from the communication date, not from when the RA certificate was issued or renewed.
Is WhatsApp enough for SEBI Regulation 25 compliance?
No. WhatsApp messages can be deleted by either party, disappear if a phone is replaced, and do not provide a tamper-evident timestamp that SEBI can verify. Regulation 25 requires records maintained in a manner that prevents subsequent modification. A WhatsApp chat is editable, deletable, and carries no cryptographic proof of when a message was originally sent. Some RAs use WhatsApp Business with chat exports, but these are not tamper-evident and would not satisfy a rigorous SEBI inspection.
What is a tamper-evident audit trail for research records?
A tamper-evident audit trail is a record-keeping mechanism where each entry is cryptographically sealed at the moment of creation, making it verifiable that the record was not modified after the fact. The standard approach is SHA-256 hashing: the text of a research note is run through a hash function at the exact moment it is sent, and the hash value is stored alongside the note, timestamp, and client ID. If anyone edits the note later, the hash no longer matches the content, and the tampering is detectable. SEBI inspectors can verify the chain of records without needing to trust the RA's word that the records are intact.
Can SEBI inspect a Research Analyst's records?
Yes. SEBI has the authority under Regulation 27 of the SEBI (Research Analysts) Regulations, 2014 to inspect the books, records, and documents of any registered Research Analyst. Inspections can be routine (annual or biennial) or triggered by a complaint. SEBI inspectors typically request records for a specific client or time period. RAs must produce the requested records within the timeframe SEBI specifies, usually 7 to 21 days. Inability to produce records is itself a violation.