What Is SEBI Regulation 25?
SEBI Regulation 25 is the record-keeping rule for Research Analysts. It requires every registered RA to maintain records of their research recommendations, client communications, KYC, and disclosures, in a form that cannot be tampered with, for at least 5 years. Regulation 25(3) adds an annual compliance audit on top. This is the short, citable explainer.
Note: General information, not legal or compliance advice. Verify everything here against the current SEBI (Research Analysts) Regulations and the latest circulars before you act, and consult a SEBI-qualified compliance professional for advice specific to your practice.
What Regulation 25 is
Regulation 25 of the SEBI (Research Analysts) Regulations, 2014 obliges you to keep records of every research recommendation and its basis, your client communications, KYC, and conflict-of-interest disclosures, in a form that cannot be tampered with, for a minimum of 5 years. Regulation 25(3) sits on top of that: it requires an annual compliance audit by an external Chartered Accountant, Company Secretary, or Cost Accountant, with the report submitted to RAASB.
The two halves are linked. The annual audit checks, among other things, that the records exist and hold up. If your trail is clean, the audit is a formality. If it is a pile of WhatsApp exports and a spreadsheet, the audit becomes a reconstruction project you do once a year under pressure.
What records it requires
Four categories, all retained for at least 5 years:
The recommendation and its basis are the heart of it. A target price with no documented reasoning behind it is hard to defend. The point of recording the basis is to show that each call was a considered view, with the data and analysis captured at the time, not invented afterwards.
Tamper-evidence: why "keep records" is not enough
The regulation does not just say keep records. It says keep them in a manner that ensures they cannot be tampered with. That is the part that trips people up. A folder of PDFs and chat exports is storage. An audit trail is something stronger: a record where each entry carries a fixed original timestamp and can be shown to be unchanged since it was created.
An Excel sheet cannot meet that bar. Its modified date moves every time you open and save it, and it tells you when a cell was last touched, never when a note was first entered. You could write a recommendation today and date the cell to last month, and nothing in the file would contradict you. The standard the regulation reaches for is a record that fixes the timestamp at the moment of sending and seals the content with a hash, typically SHA-256, computed at that instant. Change one character later and the hash no longer matches, so the edit is detectable by anyone, including the inspector. We go deeper in the Regulation 25 audit trail guide.
The 5-year retention rule
Retention is a minimum of 5 years, and the clock runs from the date of each record, not from your registration or its renewal. A note sent today has to be retrievable and provably unaltered well into 2031. That window outlasts the typical phone-upgrade and laptop-replacement cycle, which is exactly where home-grown record-keeping breaks: the device that held the records is gone before the obligation ends. Treat retention as a storage decision you make once, not a habit you maintain.
Who it applies to
Every SEBI-registered Research Analyst, individual or corporate. There is no carve-out for solo RAs or small practices. If you issue research recommendations to clients in India, you are obliged to keep the Regulation 25 records and to undergo the annual Regulation 25(3) audit. This is an India-only rule under the SEBI (Research Analysts) Regulations, 2014; it is not a global record-keeping standard.
Why it matters in an inspection
SEBI has the authority under Regulation 27 to inspect the books and records of any registered RA. Inspections can be routine or triggered by a client complaint, and they tend to zero in on one client and one period. You are typically given 7 to 21 days to produce the requested records, and inability to produce them is itself a violation, separate from whatever the original complaint was about.
The inspector is not just asking whether a record exists. They are asking whether they can trust it: does the stored note match what the client says they received, can you show the original timestamp rather than a recent modified date, and is the content provably unaltered since it was sent. A record that could have been quietly rewritten last week is, for compliance purposes, no record at all. That is why tamper-evidence sits at the centre of the rule.
Aktai for Research Analysts: Regulation 25 by default
Every note sent through Aktai for Research Analysts is SHA-256 hashed and archived the moment it goes out, with its timestamp and the client it went to. Records are kept for 5 years and export to CSV in one click, so the October Regulation 25(3) audit becomes a download rather than a reconstruction.
Request access at aktai.app/for-research-analysts or email [email protected].
FAQ
What is SEBI Regulation 25 in simple terms?
Regulation 25 of the SEBI (Research Analysts) Regulations, 2014 is the record-keeping rule for Research Analysts. It requires you to keep records of every research recommendation and its basis, your client communications, KYC, and conflict-of-interest disclosures, in a form that cannot be tampered with, for a minimum of 5 years. Regulation 25(3) adds an annual compliance audit by an external professional, with the report submitted to RAASB.
How long must records be kept under Regulation 25?
A minimum of 5 years. The clock runs from the date of each record, not from when your registration was granted or renewed. A recommendation sent today must stay retrievable and provably unaltered for the full 5 years, which is longer than most people keep a phone or a laptop, so the storage has to outlive your devices.
Who does Regulation 25 apply to?
Every SEBI-registered Research Analyst, individual or corporate. There is no exemption for solo RAs or small practices. If you issue research recommendations to clients in India, you are obliged to maintain the Regulation 25 records and undergo the annual Regulation 25(3) compliance audit. This is an India-only rule under the SEBI (Research Analysts) Regulations, 2014.
When is the Regulation 25(3) compliance audit due?
The annual compliance audit under Regulation 25(3) must be completed within 6 months of the financial year-end, so by 30 September for a 31 March year-end, and the report submitted to RAASB within 1 month of that, no later than 31 October. A clean, tamper-evident audit trail is what turns that audit into a download rather than a year-end reconstruction.