SEBI Regulation 25 Audit Trail for Research Analysts (2026)
Every SEBI-registered Research Analyst has to keep an audit trail. Most know the phrase and few know what it actually means in practice. This is the definitive explainer: what Regulation 25 obliges you to record, what separates a real audit trail from a folder of files, the 5-year retention rule, and the specific things an inspector checks when they ask for your records.
Note: General information, not legal or compliance advice. Verify everything here against the current SEBI (Research Analysts) Regulations and the latest circulars before you act, and consult a SEBI-qualified compliance professional for advice specific to your practice.
What Regulation 25 requires
Regulation 25 of the SEBI (Research Analysts) Regulations, 2014 is the record-keeping rule. It does two things. First, it obliges you to maintain records of your research recommendations, the basis for them, your client communications, KYC, and disclosures, kept in a form that cannot be tampered with, for a minimum of 5 years. Second, Regulation 25(3) requires an annual compliance audit by an external Chartered Accountant, Company Secretary, or Cost Accountant, with the report submitted to RAASB.
The records obligation and the audit obligation are linked. The annual audit checks, among other things, that the records exist and hold up. If your trail is clean, the audit is a formality. If it is a pile of WhatsApp exports and a spreadsheet, the audit becomes a reconstruction project you do once a year under pressure.
What counts as an audit trail, not just a folder of files
A folder of PDFs and chat exports is storage. An audit trail is something stronger: a record where each entry carries a fixed original timestamp and can be shown to be unchanged since it was created. The difference is integrity. Anyone can keep files. The trail has to prove, to a third party who does not take your word for it, that nothing was edited after the fact.
That is the test an inspector applies. They are not just asking whether a record exists. They are asking whether they can trust it. A record that could have been quietly rewritten last week is, for compliance purposes, no record at all. We cover the failure mode in detail in why a spreadsheet fails Regulation 25.
The records you must keep
Four categories, all retained for at least 5 years:
The recommendation and its basis are the heart of it. A target price with no documented reasoning behind it is hard to defend. The point of recording the basis is to show that each call was a considered view, with the data and analysis that led to it captured at the time, not invented afterwards.
Why timestamps are the whole game
Strip everything else away and the audit trail exists to answer one question: when did you first make this call? That is what protects a client, and it is what trips up most analysts. A bad recommendation is not a violation. A recommendation you cannot prove the timing of is the problem, because it leaves room to claim a call was made, or not made, after the outcome was known.
An Excel sheet cannot answer the question. Its modified date moves every time you open and save it, and it tells you when a cell was last touched, never when it was first entered. You could write a recommendation today and date the cell to last month, and nothing in the file would contradict you. That single property is why a spreadsheet is not tamper-evident, no matter how disciplined you are about filling it in.
A tamper-evident record fixes the timestamp at the moment of sending and seals the content with a hash computed at that instant. Change one character later and the hash no longer matches, so the edit is detectable by anyone, including the inspector. That is the standard the audit trail is reaching for.
The 5-year retention rule
Retention is a minimum of 5 years, and the clock runs from the date of each record, not from your registration or its renewal. A note sent today has to be retrievable and provably unaltered well into 2031. That window outlasts the typical phone-upgrade and laptop-replacement cycle, which is exactly where home-grown record-keeping breaks: the device that held the records is gone before the obligation ends.
Practically, retention is a storage decision you make once, not a habit you maintain. If your records live somewhere that survives your hardware and exports cleanly, retention takes care of itself. If they live on the phone in your pocket, you are one cracked screen away from a compliance gap.
What an audit-ready research note looks like
An audit-ready note is not a longer note. It is a note with the right fields locked to it at the moment it goes out. Concretely, that means the content, a fixed original timestamp, the client it went to, and a hash of the content captured on send. With those four, the note answers every question an inspector can ask without you reconstructing anything.
Audit-ready record (one row of an export): record_id, client_id, sent_at_ist, content_hash_sha256, note_text RA-2026-005193, client-0117, 2026-06-10T13:44:22+05:30, a3f7c1..., "Infosys: maintain BUY, target โน1,940, basis Q4 margin recovery..."
For how the recommendation itself should read, see the research report format for SEBI Research Analysts. The format is the content. The audit trail is the proof of when you said it.
What a SEBI inspector checks
Inspections are often triggered by a specific client complaint, so they tend to zero in on one client and one period. Based on the pattern of SEBI inspection and adjudication orders against Research Analysts, these are the questions the records have to survive:
- Can you produce the records for the client and period under inspection at all?
- Does the stored recommendation match what the client says they received?
- Can you show the original timestamp of the call, not just a recent modified date?
- Is the content provably unaltered since it was sent, or could it have been edited after the fact?
- Is each communication linked to a specific client, or was it an untraceable group broadcast?
Notice that only the first is about whether records exist. The rest are about whether they can be trusted. That is the part people underestimate. For the wider picture of how to be ready when the request lands, see SEBI inspection readiness for Research Analysts.
Building the trail without doing it by hand
You can build all of this manually. It is tedious, error-prone, and it fails exactly when you need it, during an inspection 18 months after the fact. The cleaner approach is to make the record a by-product of sending the note, so there is no separate book-keeping step to forget.
That is how Aktai for Research Analysts handles it. Every note is hashed with SHA-256 and archived the moment it is sent, with its timestamp and the client it went to. Records are kept for 5 years and export to CSV in one click. The record is tamper-evident by design, so the October Regulation 25(3) audit becomes a download rather than a reconstruction. For the mechanics of automating the notes themselves, see how to automate client notes under Regulation 25.
On timing, the annual audit has to be completed within 6 months of your financial year-end, so by 30 September for a 31 March close, with the report submitted to RAASB within 1 month after that, no later than 31 October. Work out your own dates with the SEBI RA compliance deadline calculator, and keep them on your compliance calendar for 2026-27. The audit itself is covered in the SEBI annual compliance audit guide.
FAQ
What does the Regulation 25 audit trail actually require?
Regulation 25 of the SEBI (Research Analysts) Regulations, 2014 requires you to keep records of every research recommendation and its basis, the date and timestamp each recommendation was made, your client communications, KYC, and conflict-of-interest disclosures, for a minimum of 5 years. The records must be kept so they cannot be altered after the fact. Separately, Regulation 25(3) requires an annual compliance audit by an external CA, CS, or Cost Accountant, with the report submitted to RAASB.
How long must a Research Analyst keep records under Regulation 25?
A minimum of 5 years. The clock runs from the date of each record, not from when your registration was granted or renewed. A recommendation sent today must stay retrievable and provably unaltered for the full 5 years, which is longer than most people keep a phone or a laptop, so the storage needs to outlive your devices.
Why do timestamps matter so much in the audit trail?
The whole point of the audit trail is proving when a recommendation was first made. A file with a modified date only tells you when it was last touched, not when the content was first written, and a cell can be changed without a trace. To be tamper-evident, each recommendation needs a fixed original timestamp and a way to detect any later change, such as a hash computed at the moment it was sent.
When is the Regulation 25(3) compliance audit due?
The annual compliance audit under Regulation 25(3) must be completed within 6 months of the financial year-end, so by 30 September for a 31 March year-end, and the report submitted to RAASB within 1 month of that, no later than 31 October. A clean audit trail is what makes that audit a download rather than a reconstruction.