Chinese Walls and Investor Acknowledgment: Does SEBI’s 2026 Custodian Framework Adequately Protect Investors?

Introduction

A circular issued by the Securities and Exchange Board of India (SEBI) on March 4, 2026 changed the nature of operations of custodians. The first being the availability of financial services by the non-bank custodians via separate Strategic Business Units (SBUs), on the strict conditions, such as client recognition that SEBI will not manage the grievances related to the unregulated activities. Although this framework is presented as a balance between innovation and protection, it raises some important questions on whether disclosure and internal barriers are sufficient in safeguarding investors who engage with one entity that provides both regulated and unregulated services.

Regulatory Architecture

Statutory Basis and Scope: The amendments of the SEBI (Custodian) Regulations, 1996 notified September 18, 2025 circular. Regulation 9(f) has now been modified to allow custodians to conduct any activity, in connection with the rendering of financial services, subject to a crucial exception, with the non-bank custodians bearing such conditions that SEBI prescribes, whereas the bank custodians and their subsidiaries/associates/joint ventures are not subject to these extra requirements. Such a bifurcation is associated with two contrasting regulatory philosophies; although the regulation of banks is located within the overarching supervision of RBI, non-bank custodian banks need non-bank-specific guardrails as determined by SEBI.

The Unregulated Activities Framework: Non-bank custodians should be undertaking both regulated and unregulated financial services using separate SBUs with:

• Accounts kept on an arm-length basis.
• Net worth requirements met when SBU books were left out.
• Feedback to the clients and recognition that unregulated activities are not subject to the redressal of grievances provided by the SEBI.
• Manpower, infrastructure, systems sharing were allowed on the principles of Chinese walls, and need to know.

It is interesting to note that the circular fails to indicate what activities are considered to be unregulated. This is delegated under Clause 2.1.1 to Custodians and DDPs Standards Setting Forum (CDSSF) in consultation with SEBI. This list, which is essential to the comprehension of the scope of the framework, is forthcoming at the time of this writing.

Outsourcing Conundrum: Core vs. Non-Core Activities

The Framework of 2011 and Limitations: Clause 3 refers to SEBI Circular CIR/MIRSD/24/2011 dated December 15, 2011 which only allows registered intermediaries to outsource non-core business activities but not core business activities and compliance functions. This differentiation has been in existence for more than fourteen years but the industry wide standardized categorization has been elusive.

The Unresolved Question: Clause 3.2 requires that CDSSF will exercise and make a list of core/non-core activities categorization with consultation and with due approval of SEBI. The circular recognizes the fact that the core / non-core distinction has been policy regulatory since 2011 but its implementation has been left to individual interpretation. This casts a number of concerns:

• Why is it that categorization has not been completed in a decade and a half? The lack implies the natural challenge in establishing boundaries that would be applicable everywhere and on a variety of business models. What is considered as core to one custodian might be on the margins to another. The flexibility of the 2011 circular might have been a deliberate choice to be able to define their own core functions depending on the business particularities by intermediaries. Nonetheless, the flexibility brings regulatory ambiguity and no uniformity of standards.
• What happens in the interim? Custodians will be stuck working with the 2011 framework without a definite roadmap until the list is available, which will be published by CDSSF. This uncertainty in transition may result in different practices, with some custodians becoming conservative and others may go to the extremes.
• Who determines the occurrence of disagreements? In case a custodian contracts an activity that CDSSF finds to be a core one, the issue of regulatory adherence as well as penalties come to light. The framework puts a retrospective risk on custodians acting in good faith in the period between time.

This delay arguably goes against the aim of the circular which is harmonious interpretation and consistent approach by the participants in the industry. The activities, which can be outsourced, which may include those functions associated with unregulated services, cannot be categorized in a standardized manner, therefore, making them ambiguous.

Interpreting Clause 5.3.2: Clause 5.3.2 requires that custodians at all times retain sufficient capacity of the critical custody system with the view of ensuring capacity to meet 1.2 times average load of transactions experienced in the year before.

The Rationale

This particular multiplier of 1.2 times is not some arbitrary figure, but is an expression of accepted concepts of systems engineering and risk management. The number is an indication of a buffer capacity requirement which is created to make the operation resilient without introducing unrealistic costs.

Peak load accommodation: The financial markets are volatile. The 20% buffer is to make sure that systems do not crash under higher than average volumes. When there is even a tinge of stress in the market, the volumes of transactions can soar very high; the buffer gives space.

Graceful degradation: May occur when full capacity systems become overburdened and as a result, become unstable. The buffer allows optimum performance parameters to be maintained even during high volume periods.

Practice in the industry: This kind of multiplier has been found in other regulatory regimes. As an example, which is usually typical of stock exchange and clearing corporations, there may be capacity requirements based on multiples of peak load. The 1.2 figure must have been arrived at after consultation with the players in the industry and technical people and this was a compromise between safety and cost.

The Significance

The 1.2 requirement implicitly recognizes that the custodians dealing with both regulated and unregulated activities have compounded operational risks. Where systems providing regulated custody co-locate with unregulated SBU operations (under Clause 2.2), there might be capacity constraints on either side. The buffer requirement is used to make sure that uncontrolled actions do not jeopardize controlled service delivery.

It is important to note that Clause 5.3.1 mandates the non-bank custodians to have policy frameworks approved by the IT committee to upgrade the infrastructure whereas the bank custodians can use the prevailing bank-wide structures. The 1.2 requirement is broadly applicable, as it acknowledges that the matters of operational resilience are institutional transcendent.

The Chinese Wall: Barrier To Information Or Fiction Of Controls

The clause 2.2.1 states that custodians should have appropriate control and mechanisms such as Chinese walls and observing the principle of need to know in place in order to deal with conflict of interest issues. This is an addition to SEBI Circular CIR/MIRSD/5/2013 dated August 27, 2013, which gives general provisions on how to manage conflicts of interest.

Chinese walls do not involve physical segregation, but procedural and cultural barriers. In the case when the regulated and unregulated divisions are served by the same employees, systems, and infrastructure, the wall is not made concrete but conceptual. Key challenges include:

• Information asymmetry: There is a full knowledge of operations by the custodian, but only a unitary brand by the client. Despite obstacles within companies, there is an entity level incentive to utilize client relationships across companies.
• Enforcement challenge: Structural separation, Contrary to structural separation, procedural walls must be observed at all times. How are breaches detected? What are the solutions to clients who fall victim to information leakage? The circular does not have any enforcement mechanism.
• Crossing and staff rotation: Chinese walls can limit information flow, but staff can cross divisions or communicate in common areas, establishing informal channels of information flow that can be checked incomplete.

The Bank Exemption

The bank custodian clauses 2.1.2 exclude the requirements of SBU. Clause 5.1.2 elucidates that they may not need to make separate specific committees of the custody business/function and may make use of the bank wide or organization wide policies, committees, governance structures.

This brings about a two tier system. Bank clients are not given any disclaimer that SEBI is not going to entertain grievances of unregulated activity- but the same activity by non-bank custodians leads to compulsory acknowledgment. The distinction is in the backup regulation: RBI offers safety nets which SEBI does not. Customers who are selecting custodians have to thus, not only examine the service but also the institutional form of provider which many might not recognize.

Investor Protection Measurement

Capital ring-fencing: Net worth calculated without the inclusion of SBU books is to make sure that the unregulated risks do not affect the regulated functions.

Improvement of governance: Board-level committees improve the oversight.

Transparency: This is required to avoid a situation where the client does not know that SEBI is not involved in unregulated business.

Critical Gaps

The recourse vacuum: The recognition of SEBI not helping is not a specification on who should. In the case of uncontrolled operations, investors are subjected to unsure grievance systems.

The issue of identification: In the absence of differentiation of the services in the regulated and unregulated websites, sites, premises, the clients do not know what hat is attired by their custodian.

The uncertainty in outsourcing: Up until the publication of core/non-core categorization, there are no standard boundaries of outsourcing practices by CDSSF.

The compliance gap: There are no Chinese wall enforcement specifications. How are breaches detected? What remedies exist?

Conclusion

Making an attempt to balance the safeguards, the March 2026 circular of SEBI is pragmatic in acknowledging financial convergence but is an attempt to provide a balance on the safeguards. Still, there are essential gaps, though. The long period of fourteen years between core and non-core classification undermines harmonization. The 1.2 times requirement which though technically satisfactory will only be in line with operational resilience, and not investor protection. Chinese walls however well-designed cannot drive entity-level conflicts of interest out.

This framework will be completed after CDSSF issues the list of unregulated activities and the core/non-core classification, the means of specific grievance is offered, and the visual distinction is present. The investors would be prudent to read the acknowledgements and make judgment on whether one-stop simplicity is worth coming out of the safety net of SEBI.

The circular will be effective March 24, 2026 and the wind-down structures will be required by September 2026 and data center requirement by March 2029. These slow adoptions will manifest in the coming months whether they will provide the regulatory community with more difficult questions to think with or merely delay the eventual possibilities of questioning the regulatory limits in the age of converging financial services.

Author:– Akshat Pugalia, in case of any queries please contact/write back to us at support@ipandlegalfilings.com or   IP & Legal Filing.