Some knowledge nuggets about Structured Digital Database

What is the concept of a Structured Digital Database (SDD)?

Structured Digital Database (SDD) is a Digital Database which:

• Should be maintained internally by the company.
• Should be maintained with adequate internal checks, time stamping, and audit trails.
• Should be non-tamperable.
• Should not be outsourced.
• Containing the details such as the name of persons with whom the UPSI has been shared with, name of persons for whom there is access to UPSI, PAN of those persons, and any other Identification number authorized by Law.

In general, SDD is a kind of Digital Database which should be maintained internally in a non-tamperable manner along with time-stamping and audit trail. The Database must contain the name and PAN number of Persons with whom the UPSI has been shared.

Insider trading is all about trades done based on "information" which is not generally available, and that is the preserve of a few "insiders". Thus, UPSI is the crucial point of insider trading controls. UPSI, after having originated at some stage within the organization, may be shared with either insiders or fiduciaries or intermediaries. Until the information matures into public notice, it may result in insider trading. Hence, the intent of the SDD is to keep track of who all were the recipients of UPSI.

What is Structured Digital Database?

A structured Digital Database ('SDD') is a database of Unpublished Price Sensitive Information (UPSI), shared internally or externally, with the intent of keeping track of who all were in the knowledge of a UPSI before it became public. The concept emanates from Reg. 3 (5) and 3 (6) of the SEBI (Prohibition of Insider Trading) Regulations, 2015 ('Regulations'), first introduced vide the SEBI (Prohibition of Insider Trading) (Amendment) Regulations, 2018, which was effective the 01-04-2019.

What is the intent of the SDD?

The intent is to record the flow of sharing of UPSI by any person "with partners, collaborators, lenders, customers, suppliers, merchant bankers, legal advisors, auditors, insolvency professionals or other advisors or consultants, etc. for "legitimate purpose", subject to such sharing not being carried out to evade or circumvent the prohibitions of the Regulations. The intent of the SDD is that the regulator or stock exchanges, in case of any inquiry or investigation into insider trading, may trace the trail of sharing of UPSI.

What are the Crucial Elements of an SDD?

The following are the crucial elements:

• It is only the sharing of UPSI that is required to be entered.
• What is "UPSI" is a subject matter of determination and may involve subjectivity.
• Once information is determined to be UPSI, its sharing, internally or externally, until it becomes public by way of public notification, needs to be captured in the SDD.
• The word "sharing" implies that the creation of the information provides the information to someone who was not otherwise aware of it. Going by this, the sharing of information to such persons who are legitimately expected to be aware of information within the organization on a continuous basis may be perfunctory. For example, the CEO or whole-time directors are presumably in the know of the information.

What shall be the trigger point for inserting a record in the SDD?

Sharing of UPSI internally or externally is the trigger for recording the same in the SDD.

When is UPSI Evolved?

When the information starts taking the shape of price-sensitive information i.e. where the probability of going ahead with the information/concerned event is higher than not going ahead and such information is likely to "materially" affect the prices of the securities of the company when published, sharing of such information shall be recorded in the Database

Whether sharing of UPSI internally be recorded in SDD or records shall be maintained only when it is shared outside the organization

Irrespective of whether a UPSI is shared internally or externally, necessary recording should be made in SDD.

The intent of maintaining SDD is that the flow of sharing of UPSI is recorded. SDD needs to contain the names of the person(s) with whom UPSI has been shared. This means that entry should be made upon sharing the information so as to ensure that the same is not missed subsequently and captures the event.

One may understand the relevance of recording information shared externally, but in the case of information shared internally, what purpose does it serve?

A listed company/market participant should be required to maintain an electronic record containing the name of the person with whom UPSI is shared and the nature of UPSI. Further, while sharing UPSI for "legitimate purposes", the listed company/market participant should serve a notice or sign a confidentiality/ non-disclosure agreement with the person with whom UPSI is shared, informing him/her that he has to ensure compliance with the Regulations while in possession of UPSI shared with him/her.

What is the rationale for such a digital database?

Dr. T.K. Viswanathan Committee explained "that once the information is shared with outsiders such as partners, collaborators, lenders, major customers, major suppliers, investment bankers, legal advisors, auditors, insolvency professionals or other advisors or consultants for a legitimate purpose, the company has no control over it. Therefore, the company must keep track of the first level of recipients, such that, if an investigation so needs it, the company can establish a trail. Each of the fiduciaries, likewise, are supposed to be answerable for the integrity and protection of the confidentiality of the information received by them."

From the above, it might have been concluded that the Regulations require recording the sharing of information externally only. While the external sharing of information is critical, one cannot, however, ensure control over the sharing of information by multiple insiders, unless the insiders who were in the know are also recorded. Further, such internal sharing of information, if captured in the SDD, also creates sensitization for the recipient.

It may also be contended that such natural and necessary exchange of information, for example, board notes and agenda papers to the directors, and financial statements to the auditors, are presumable, and therefore, no effective purpose may be served by recording such exchange of information. It may be contended that the entry into SDD is for cases involving intermittent and infrequent sharing of information. Entering each and every flow of UPSI in the company into the SDD where the same is necessarily a part of the normal flow of such information in the course of the recipient's functions and rights will make the maintenance perfunctory.

However, it appears that the regulator has intended the requirement of SDD to be unexceptional, with a view to trace the whole trajectory of the information.

Hence, SEBI in its Comprehensive FAQs provides that SDD is required to be maintained irrespective of the fact that information is shared within or outside the Company, requisite records are required to be updated in SDD as and when the information gets transmitted.

Similarly, BSE in its FAQs on SDD explained that the intent of maintaining SDD is that the flow of sharing of UPSI is recorded. SDD needs to contain the names of the person(s) with whom UPSI has been shared. This means that entry should be made upon sharing the information so as to ensure that the same is not missed subsequently and captures the event. For e.g.: while finalizing financial results for say quarter ended September 2022, one entry can be made for the persons in the accounts department at the start of the finalization process. Additionally, if UPSI is shared with Auditors, then the details of the audit firm, the senior partner and other entities of the audit firm with whom UPSI is shared, needs to be recorded. The audit firm, in turn, must maintain SDD accordingly. 

What is to be recorded - the information about an event that is shared through a chain of recipients, or every sharing of the said information?

SDDs are expected to be maintained by technology platforms - so much will have to depend on the structure of the input accepted and the output in the form of SDD entries. For example, if A gives a UPSI to B, B gives it to C, and C gives it to O1, an outsider, each of these flows of information needs to be captured in the SDD.

If O1 then gives it to O2, another outsider, that is not within the domain of the company, but within the domain of the recipient of the information. O1 and O2 are fiduciaries or market intermediaries, they need to likewise maintain SDD entries.

Further, if A gave the information in the first place to B, C, and D simultaneously, are there 3 different entries or one single entry? This will be essentially the format of the SDD in the platform.

Which all entities are required to maintain SDD?

Every listed entity and organization is required to handle UPSI as fiduciaries or intermediaries are required to maintain SDD.

It may be noted that debt-listed entities are also listed entities, and they have listed securities. It is not the frequency of trading or the width and depth of the market which is the basis of compliance with the requirements of PIT Regulations. Therefore, debt-listed entities are as much required to adhere to all the PIT controls, including SDD.

Who all required to make entries in SDD?

Regulation 3(5) and 3(6) of PIT Regulations, 2015 mandates that the Board of Directors or the head(s) of the organization of every person required to handle UPSI shall ensure that the Database is maintained as per the requirements of the PIT Regulations, 2015.

Therefore, putting a system in place to capture and record the SDD, in terms of the PIT Regulations, 2015 is to be implemented by the Board of Directors or the head(s) of the organization of every such person. Further, the Board of Directors or the head(s) of the organization of every such person is also required to determine who is to be given access to the same.

Employees who have access to UPSI or who are in possession of UPSI and who share that UPSI are required to make entries in SDD. Sharing of UPSI here means sharing UPSI on a need-to-know basis or sharing UPSI with any person in order to allow him to perform his legal obligations. Sharing of UPSI can be within the organization or outside the organization then also entry in SDD is required to be made.

In the case of multiple group companies, whether the SDD should be maintained separately?

As per Regulation 3(5) of the PIT Regulations, 2015, the company shall maintain the SDD internally with adequate internal controls and checks such as time stamping and audit trails to ensure non-tampering of the database. It is understood that every company shall maintain an independent SDD to comply with these prerequisites as prescribed by the PIT Regulations.

Is the entry in the SDD synchronous with the sharing of the information, or is it to be entered subsequently? If it is a subsequent entry, within how much time is the entry to be made?

Ideally, if the technology application that maintains the SDD can pick up information from emails that are tagged as "sensitive", then the entry in the SDD should be real-time. However, if real-time entries are not done, there will necessarily be some gap between the sharing of the information, and the entry in the SDD. The gap should be as less as feasible, and these controls have to be part of the PIT/SDD controls which are laid by the board of directors/CEO.

Assuming that information was shared some time ago, but it comes to the knowledge of the compliance officer later. Can it or should it still be entered? Undoubtedly, yes. Just because there has been a gap does not become a reason for not entering an information share in the SDD.

What would be the contents of an SDD?

As mentioned under Reg. 3(5), the digital database shall contain the name and PAN/ any other identifier authorized by law where PAN is not available, of persons who have shared UPSI, the nature of UPSI, and persons or entities with whom UPSI is shared. Following is the illustrative list:

• Name of Supplier of Information and Recipient of Information.
• PAN of Supplier of Information and Recipient of information.
• Categories of persons such as Designated Persons (DPs); Employees of the Company who are not Designated Persons (DPs); Persons who are neither employees nor DPs but may come into contact with the DPs of the Company.
• Nature of UPSI and reason for sharing UPSI.
• Source of Information.
• Non-Disclosure Agreement or Confidentiality Agreement executed or not.
• Date and Time of sharing.
• Date of entry.
• Details of the person making the entry i.e. The database shall be maintained under the supervision of the Compliance Officer of the Company.
• Any other information as may be necessary.

What is UPSI? What all UPSI is required to be maintained in SDD?

All types of UPSI are required to be maintained in SDD. UPSI definition as provided by SEBI PIT Regulations is inclusive in nature. SEBI PIT Regulations state as follows:

As per Regulation 2(1)(n) of SEBI PIT "unpublished price sensitive information" means any information, relating to a company or its securities, directly or indirectly, that is not generally available which upon becoming generally available, is likely to materially affect the price of the securities and shall, ordinarily including but not restricted to, information relating to the following: – (i) financial results; (ii) dividends; (iii) change in capital structure; (iv) mergers, de-mergers, acquisitions, delisting, disposals and expansion of business and such other transactions; (v) changes in key managerial personnel.

On perusing this definition, it can be inferred that (a) any information would be considered as UPSI only when the information when disclosed in the market is likely to create a significant market impact on the price of the securities of the company and (b) definition provides an illustrative list of information that can be considered as UPSI. It can also happen that the above-referred information may not be considered UPSI.

Following are a few examples

Example 1:

Bagging of order as UPSI: For example, Company A Ltd. is having annual turnover of Rs.50 crore on average. Its Managing Director signed a new contract for the supply of goods worth Rs.15 crores. Now this information is crossing 10% of the annual turnover of A Ltd. So, this information is surely material information. This information when disclosed to the public (i.e., on the stock exchange) is likely to create a significant positive market reaction. Hence that information would be considered as a UPSI. This information that A Ltd. has got a material contract is known to the MD of the company and his subordinates. So, it is the responsibility of MD and his subordinates to make an entry in SDD. They will have to make an entry in SDD as soon as they sign the contract. This information that A Ltd. has received a material contract would remain UPSI till the time same is disclosed to the stock exchange.

Financial Results as UPSI: Say for example A Ltd. is planning to conduct a board meeting to consider June quarter financial results on August 14, 2023. Financial results preparation for this meeting started on July 7, 2023, when the trial balance was prepared. From this date till the financial results are approved at aforesaid meeting whoever has access to this UPSI and with whomsoever person this information is shared, his name is required to be maintained in SDD. So, if Mr A, the account manager is aware of the profit figure on July 20, 2023, and he shares draft financials with the CFO then Mr. A will have to make an entry in SDD stating that he has shared draft financials with CFO. Further, if CFO shares the same with the statutory auditor, he will have to make an entry in SDD.

Buyback of shares as UPSI: Further suppose a company is considering buyback of shares. Initially, it is being discussed between CFO and MD. After certain discussion, it is finalized that now a proposal shall be placed before the board of directors for approval of buyback.  At the time when it was decided that the proposal for buyback shall be placed in a board meeting for approval entry shall be made in SDD by CFO or MD. Names shall be entered of all those with whom this information is shared in the course. This information as discussed above shall be UPSI till it is disclosed to the stock exchange.

Making an entry in SDD is very important to identify the flow of UPSI. It is very important to create awareness about who shall make an entry in SDD. Entries in SDD act as evidence about the flow of information.

Will SDD be updated even in case of sharing of financial results, annual report, etc. with vendors for publication, designing, etc.?

As long as any information while sharing these documents does not contain UPSI, we do not see any reason for making an entry in the SDD. Once the financial results are approved by the board, they are put in the public domain. It is no more a UPSI. It means that any information which is easily accessible by the public at large or it is not a Price Sensitive information then same is not required to be entered into SDD.

Sharing of information related to GST returns etc be recorded in SDD? Is sharing of data for GST returns every month a legitimate purpose? Should it also be recorded in SDD?

Sharing of turnover details for GST returns may happen before the board receives and approves financial results - hence, this is an example of UPSI sharing, and is an event that ought to be captured in the SDD.

Yes, sharing of data for filing GST returns is a legitimate purpose. The GST team will, understandably, get the data on turnover for each GST registration. If there are multiple GST registrations, it is not conceivable that the GST team has enough of a picture to get an idea of the performance of the company as a whole. However, depending on the significance, if the Company is classifying the said information as UPSI, then the same shall be recorded in the SDD.

If the company shares the UPSI with the external person and such an external person further shares the UPSI, then will the 2nd leg of sharing be recorded?

Whenever there is any sharing of UPSI within or outside the company, it is the responsibility of the company to inform the recipient by entering NDA with the external persons and by sending a notice of confidentiality to the internal person. Simultaneously, the company has to make an entry in SDD. Thereafter, it is the responsibility of the recipient to protect the UPSI through the latter's Code of Conduct. If the external person further shares the UPSI for legitimate purposes, it will be the responsibility of the latter, and if the latter is a fiduciary, the fiduciary will make an entry in its SDD.

Whether non-execution of NDA is non-compliance? Is it sufficient if a notice of sharing information for legitimate purposes is given to such a recipient?

When an external party is engaged, it is recommended to execute NDA. If not NDA, the company can include a non-disclosure clause in the engagement agreement.

As per Reg. 3(2B) of the Regulations, a notice of confidentiality is to be given to persons with whom UPSI is shared. How can that be ensured?

It may be given in the manner indicated in Reg. 3 (4) of the Regulations wherein such parties are informed about their obligation to maintain confidentiality and abstain from dealing in the securities while in possession of UPSI. While the same may be incorporated in the NDA, it may be additionally informed by way of an email from the Company to the persons with whom UPSI is shared.

Is UPSI only related to my company or also of my listed/unlisted subsidiaries?

As per the Regulations, UPSI means any information, relating to a company or its securities, directly or indirectly, that is not generally available which upon becoming generally available, is likely to materially affect the price of the securities. Therefore, if the listed company shares any UPSI relating to the subsidiary company, which can materially impact the price of its own securities on becoming public, an entry should be made by the listed company in its SDD. We reiterate that in testing an information as UPSI, the critical piece is the magnitude of the information in relation to the company as a whole, and the likely impact on prices.

Are unlisted subsidiaries also required to maintain SDD?

The onus of maintaining SDD is on the listed entity or every entity required to handle UPSI, in the ordinary course of business. As stated above, in case the listed entity is in possession of any information relating to its unlisted subsidiary which may potentially materially impact the price of the securities of the listed entity, it will be required to make an entry in the SDD of the listed entity. However, the subsidiary need not maintain an SDD merely because the UPSI, being shared by the listed entity, relates to it.

Should every item covered under Reg. 30/Reg. 51 be considered as UPSI for the purpose of recording in SDD?

Reg. 30/ Reg. 51 read with Schedule III of the SEBI LODR Regulations has both items - deemed material and material based on the thresholds determined by the Company.

Every material information under Para A may not be in the nature of UPSI - for e.g. change in +/- 2% of existing investments, every alteration of memorandum or articles of association. Therefore, only those items falling under the said Schedule which materially affect the prices of listed securities will be required to be recorded in the SDD.

How should one determine that the item under Reg. 30/51 will materially impact the price?

The same may be determined by the policy on the determination of materiality framed under Reg. 30(4)(ii) approved by the board.

The KMPs authorized by the board for the purpose of determining material information should also be made responsible for identifying whether the information is in the nature of UPSI requiring an entry into SDD.

How to determine materiality in a case where the Company is not required to adopt a policy on the determination of materiality of events?

Even in cases where the Company is not required to frame a policy on the determination of materiality of events, the obligation to determine materiality and disclose still remains. Hence, the Board may authorize certain KMPs to ascertain the materiality of events and the same persons may determine if the said information is in the nature of UPSI, for the purpose of making an entry into SDD.

If we decide that the information is not a UPSI then where do we document it?

The KMPs authorized to determine materiality should also be made responsible to determine whether the information is a UPSI or not. The discussion among the authorized KMPs should be recorded and intimated to the compliance officer for further course of action i.e. closure of trading window, monitoring of entry in SDD, etc. The intention of documenting is that in case of a future investigation, the Company can safeguard itself and present the rationale for the classification or non-classification.

For what time is SDD required to be maintained?

Regulation 3(6) states shall be maintained for eight years from the date of the last entry made. In case any investigation is ordered by any regulatory authority which pertains to the transaction for which entries are made in SDD then SDD cannot be destroyed till the investigation is over.