AKP Corporate & Compliance Digest January 19, 2026

We are delighted to share this week's AKP Corporate & Compliance Weekly Digest. Please feel free to write to us with your feedback at info@akandpartners.in.

1.             Labour Law

1.1.         EPFO extends ECR filing deadline for December 2025 wage month

Employees’ Provident Fund Organisation (“EPFO”) extended the due date for filing the Electronic Challan-cum-Return (ECR) for the wage month of December 2025 up to January 18, 2026. This extension directly affects employers’ statutory deposit-and-reporting timelines for provident fund contributions for that wage period and is intended to ease compliance within the revised window.

1.2.         Rajasthan issues revised draft Code on Wages Rules, 2026

Labour Department, Government of Rajasthan published the revised draft Code on Wages (Rajasthan) Rules, 2026 under Section 67 of the Code on Wages, 2019, inviting objections and suggestions within 45 (forty-five) days, after an earlier draft was issued in 2021. The draft sets out how minimum wages will be calculated and periodically updated, including a “standard working class family” benchmark, cost components (including housing at 10 per cent (ten per cent) of food and clothing, fuel and miscellaneous at 20 per cent (twenty per cent), and education / medical / recreation / contingencies at 25 per cent (twenty-five per cent)), and variable dearness allowance revision twice a year on April 1 and October 1 based on Labour Bureau price indices. It also prescribes working hour norms (including a 48 (forty-eight) hour weekly cap, daily spread-over limits, weekly rest day rules and flexibility with employee consent), caps total wage deductions at 50 per cent (fifty per cent) in a wage period, establishes procedures for fines and deductions, and details governance and administration such as the State Advisory Board composition and process. Employers must maintain specified electronic or physical registers and issue wage slips, preserve records for 5 (five) years, file an annual return electronically through the format under the Occupational, Safety, Health and Working Conditions Code, 2020 rules, and note that several legacy Rajasthan rules on minimum wages and wage payment are proposed to be repealed upon commencement of the new rules, subject to savings for past actions and ongoing proceedings. [Rajasthan]

1.3.         PFRDA tightens cyber incident and annual compliance reporting for PoPs and non-individual RAs

Pension Fund Regulatory and Development Authority (“PFRDA”) on January 15, 2026, issued a Circular to all Points of Presence (“PoPs”) under National Pension System (“NPS”), NPS-Lite and Atal Pension Yojana (“APY”), and all non-individual Retirement Advisers (“RAs”), prescribing reporting requirements under its Information and Cyber Security Policy Guidelines-2024. PFRDA classifies regulated entities (REs) into 2 (two) categories, Category I (pension funds registered as PoPs) and Category II (PoPs including APY service providers and RAs, excluding individuals), and requires each to submit an annual certificate of compliance for the relevant financial year within 30 (thirty) days from the end of that financial year in the revised formats at Annexure I and Annexure II. In addition to reporting cyber incidents to the Indian Computer Emergency Response Team (“CERT-In”), all PoPs and non-individual RAs must mandatorily report specified cyber incidents to PFRDA within the timelines and format set out in the 2024 guidelines, and Category I PoPs must also submit a quarterly cyber incident report to PFRDA with remedial actions taken. Category I PoPs must further submit their Board-reviewed and approved Cyber Security Policy to PFRDA within 30 (thirty) days of Board approval. [PFRDA]

2.             Stamp Duty

2.1.         Indian Stamp Act amended in Punjab for loan-document stamping

The Department of Legal and Legislative Affairs, Punjab notified the Indian Stamp (Punjab Second Amendment) Act, 2025, which came into force on January 14, 2026, and further amends the Indian Stamp Act, 1899 (as applicable to Punjab). It revises Schedule 1-A (Entry 6) to prescribe stamp duty at 0.25 per cent (one quarter of one per cent) of the loan amount credited (or an existing or future debt), subject to a maximum of INR 5,00,000 (Indian Rupees Five Lakhs only). It also adds a clarification that where more than 1 (one) instrument is executed for the same loan under this entry, duty is chargeable on the total loan amount across such instruments, so long as no additional loan amount is secured by any such instrument. [Punjab]

2.2.         Supreme Court clarifies stamp duty treatment of agreements to sell in Andhra Pradesh

Supreme Court of India held that an agreement to sell does not, by itself, operate as a conveyance transferring title and therefore should not be charged with stamp duty as a sale deed merely because it contemplates a future transfer. In substance, the Court reiterated that stamp duty must follow the true nature of the instrument as executed, unless the applicable law deems such an agreement to be a conveyance in specific circumstances. This ruling is relevant for disputes where registering authorities seek to demand conveyance-level stamp duty on agreements to sell under the Andhra Pradesh Stamp Act, 1920. [Andhra]

3.             Stock Exchanges

3.1.         NSE reminds trading members to submit Action Taken Reports for internal audit non-compliances

National Stock Exchange of India Limited (“NSE”) issued a circular on January 16, 2026 reminding all trading members to close and report the status of non-compliance(s) identified in their Internal Audit Report for the half year ended September 30, 2025 by January 31, 2026 through the Inspection module on the Member Portal in the prescribed format, referencing prior NSE circulars dated December 1, 2025 and December 12, 2025. NSE cautioned that if observations are not closed in the Action Taken Report, or if the Action Taken Report is not submitted by the due date, monetary penalties and/or disciplinary actions may be initiated as per NSE circular dated October 10, 2025, and other applicable penalty circulars, and it also provided regional inspection contact details for clarifications.

3.2.         BSE releases penalty report for client code modifications in non-institutional trades

Bombay Stock Exchange (“BSE”) Limited issued a notice stating that the penalty report (as per Exchange Notice Nos. 20110729-24 dated July 29, 2011 and 20110826-4 dated August 26, 2011) for client code modifications of non-institutional trades executed during December 2025 has been uploaded to members’ Extranet, in the EQUITY TRANSACTION FOLDER, with the file name PM1225.Clg, and members have been asked to save the file for future reference and reach out to BSE’s trading operations contacts for any clarification.

3.3.         BSE reiterates January 31 deadline for Internal Audit Action Taken Reports

BSE Limited, by notice reminded trading members to close all non-compliances reported in their Internal Audit Report for the half year ended September 30, 2025, and submit the corresponding Action Taken Report on or before January 31, 2026, through the BSE Electronic Filing System (“BEFS”). BSE cautioned that if observations are not closed in the Action Taken Report, or if the Action Taken Report is not submitted within the due date, monetary penalties and/or disciplinary action may be initiated in accordance with Exchange notice dated October 10, 2025, and other penalty circulars issued from time to time.

3.4.         BSE reminded members to submit cyber security and cyber resilience audit report by January 31, 2026

BSE Limited, by notice dated January 16, 2026, reminded trading members to submit the Cyber Security and Cyber Resilience Audit Report for the period ended September 30, 2025 on or before January 31, 2026, through the BEFS portal, failing which penal or disciplinary action may be initiated. The notice also states that members who are registered with both BSE and NSE should submit the cyber audit report only to NSE, in line with the technology-based sharing mechanism for common submissions among exchanges, while members not registered with NSE must continue submitting to BSE under the existing process, and it encloses user manuals for members and auditors to support use of the cyber audit module.

3.5.         NSDL extends deadline for depository participants to submit half-yearly cyber audit report under SEBI CSCRF

National Securities Depository Limited (“NSDL”), through Circular dated January 16, 2026, revised the due date for submission of the Cyber Audit Report (half-year ended September 30, 2025) under the Cyber Security and Cyber Resilience Framework (“CSCRF”) for eligible categories of depository participants, extending the deadline from December 31, 2025 to January 31, 2026, with the audit to be conducted by a CERT-In empanelled auditor and submitted to NSDL after approval from the participant’s IT Committee. NSDL also set March 31, 2026, as the due date for submission of the Action Taken Report or revalidation report (through the CERT-In auditor) after IT Committee approval and clarified that participants outside the specified categories must instead submit a certificate confirming that their self-determined categorisation is in accordance with the CSCRF framework.

3.6.         BSE restricts trading for clients with ‘On Hold’ KYC pending KRA validation

BSE Limited issued guidelines pursuant to amendments to the Securities and Exchange Board of India KYC Registration Agency Regulations, 2011. It reminded trading members that Know Your Client (“KYC”) records marked “On Hold” by KYC Registration Agencies (“KRAs”) are treated as non-validated and must be rectified. BSE stated that clients whose KYCs were uploaded to KRAs between December 1, 2025, and December 31, 2025, but remain “On Hold” (whether Aadhaar-based or non-Aadhaar based and supported by an Officially Valid Document) will, from January 24, 2026, not be permitted to trade and will also be unable to square off any open positions until validation requirements are met. BSE will flag non-compliant Permanent Account Number (“PAN”) holders as “Not Permitted to Trade” and will restore trading permission on the next trading day once a PAN becomes KRA-compliant based on daily data received from KRAs, while reiterating the SEBI-mandated requirement to block debit transactions and suspend trading accounts when investor demise information is reported centrally through KRAs.

4.             Information Technology

4.1.         CERT-In warns of multiple high-severity vulnerabilities in SAP products

Indian Computer Emergency Response Team (“CERT-In”) on January 13, 2026, issued Advisory CIAD-2026-0001 flagging multiple vulnerabilities across SAP products, including SAP S/4HANA (private cloud and on-premises), SAP HANA database, SAP NetWeaver (ABAP and Enterprise Portal), SAP Application Server for ABAP, SAP Business Connector, SAP Identity Management and certain SAP Fiori apps. The advisory states that these issues could enable attacks such as SQL injection, cross-site scripting, privilege escalation, arbitrary code or command execution, security restriction bypass, open redirects, sensitive information disclosure and cross-site request forgery, creating risks including unauthorised access, data manipulation, phishing redirection and potential system compromise, with a high risk of data breach. CERT-In lists 19 (nineteen) associated CVEs and advises SAP system administrators, security teams, IT infrastructure teams and application developers to apply the relevant fixes referenced in SAP’s January 2026 security notes.

4.2.         CERT-In flags remote code execution vulnerabilities in Fortinet products

CERT-In on January 14, 2026 issued Vulnerability Note CIVN-2026-0019 warning of high-severity vulnerabilities affecting Fortinet products, including FortiClientEMS, FortiOS, FortiSwitchManager and FortiSASE, which could be exploited by a remote or authenticated attacker to execute arbitrary code or unauthorised commands on targeted systems. CERT-In assessed a high risk of unauthorised access, remote code execution and system compromise, with potential impacts including data theft, service disruption or complete compromise, and attributed the issues to a heap-based buffer overflow in FortiOS and FortiSwitchManager and SQL injection in FortiClientEMS. CERT-In advised organisations and individuals using affected versions to apply the relevant vendor updates referenced in Fortinet’s security advisories and provided the associated CVEs as CVE-2025-25249 and CVE-2025-59922.

4.3.         CERT-In flags remote code execution vulnerabilities in Microsoft Excel

CERT-In on January 14, 2026 issued Vulnerability Note CIVN-2026-0020 warning of multiple high-severity vulnerabilities in Microsoft Office Excel that could allow a remote attacker to execute arbitrary code on an affected system by inducing a user to open a specially crafted Excel file, potentially resulting in unauthorised access, data theft, or broader system compromise. CERT-In assessed the risk as high and advised end-user organisations and individuals managing Microsoft Excel to apply the relevant Microsoft security updates referenced in Microsoft’s update guide for CVE-2026-20955 and CVE-2026-20957.

4.4.         CERT-In flags information disclosure vulnerability in Windows Desktop Window Manager

CERT-In on January 14, 2026 issued Vulnerability Note CIVN-2026-0021 highlighting an information disclosure vulnerability in the Desktop Window Manager (DWM) component of Microsoft Windows that could allow an authenticated local attacker with low privileges to disclose sensitive information from system memory, potentially aiding follow-on attacks by bypassing security protections such as Address Space Layout Randomisation (ASLR). The advisory applies to multiple supported versions of Windows 10, Windows 11 and Windows Server, assesses the risk as medium, and advises organisations and individuals to apply Microsoft’s update for CVE-2026-20805 as referenced in Microsoft’s update guide.

4.5.         CERT-In flags high-severity vulnerabilities in Microsoft products, including one exploited in the wild

CERT-In on January 14, 2026, issued Advisory CIAD-2026-0002 warning of multiple vulnerabilities in Microsoft products—including Microsoft Office, Windows, Azure, developer tools and SQL Server—which could enable elevated privilege attacks, sensitive information disclosure, remote code execution, spoofing and denial of service, with potential outcomes such as system compromise, data exfiltration, ransomware and system crashes. CERT-In specifically highlighted an information disclosure vulnerability in the Windows Desktop Window Manager (CVE-2026-20805) that can be exploited by an authenticated local attacker and noted that it is being exploited in the wild, advising users and IT administrators to apply Microsoft’s January 2026 security updates immediately and refer to Microsoft’s update guide for the complete list of affected products, CVEs, workarounds and fixes.

5.             Tax

5.1.         Supreme Court backs Revenue in Mauritius DTAA capital-gains dispute linked to Flipkart deal structure

Supreme Court of India held that where transactions are found to be an impermissible tax-avoidance arrangement, treaty relief under the Double Taxation Avoidance Agreement (“DTAA”) cannot be claimed, and the Revenue is entitled to enquire into the arrangement (including by applying Chapter X-A and the statutory framework governing treaty eligibility). The Court allowed the appeals, set aside the High Court decision, and held that capital gains arising from transfers effected after April 1, 2017, are taxable in India under the Income Tax Act, 1961 read with the applicable DTAA provisions, on the facts found.

Disclaimer

The note is prepared for knowledge dissemination and does not constitute legal, financial or commercial advice. AK & Partners or its associates are not responsible for any action taken based on its contents.

For further queries or details, you may contact:

Mr Anuroop Omkar

Founding Partner, AK & Partners

info@akandpartners.in