AKP Corporate & Compliance Digest November 03, 2025

We are delighted to share this week's AKP Corporate & Compliance Weekly Digest. Please feel free to write to us with your feedback at info@akandpartners.in.

1.  Labour Law

1.1.         Centre authorises Regional Provident Fund Commissioners to exercise Section 14AC powers under the Employees’ Provident Funds and Miscellaneous Provisions Act, 1952

Ministry of Labour and Employment authorised Regional Provident Fund Commissioners (RPFCs) to exercise the powers of the Central Provident Fund Commissioner under the Employees’ Provident Funds and Miscellaneous Provisions Act, 1952 (EPF&MP Act) within their jurisdictions, via Notification S.O. 4920(E); it supersedes S.O. 549(E) dated November 1, 1973, takes effect on publication, and applies across 24 (twenty-four) regions listed in the Schedule including the National Capital Territory of Delhi, major States, and specified Union territories.

1.2.         Centre brings ESI Act provisions into force in Soreng, Gyalshing and Mangan (Sikkim)

Ministry of Labour and Employment appointed November 1, 2025, as the commencement date for specified provisions of the Employees’ State Insurance Act, 1948 (ESI Act) across the entire areas of Soreng, Gyalshing and Mangan districts in Sikkim. Operationalising compulsory insurance, contributions, benefits and adjudication mechanisms in these 3 (three) districts.

1.3.         Rajasthan amends Factories Rules to strengthen protections for women and young persons in hazardous processes

Government of Rajasthan notified the Rajasthan Factories (Amendment) Rules, 2025 under Section 112 of the Factories Act, 1948, revising rule 100 of the Rajasthan Factories Rules, 1951 to add safeguards across 16 (sixteen) schedules. The rules bar employment of pregnant women, lactating mothers, adolescents and children in specified hazardous processes, and allow other women to work only where engineering controls, automation, enclosed systems and specialised Personal Protective Equipment (PPE) are in place with limited exposure periods where required. They mandate regular air or heat stress monitoring, blood lead level or other health testing as applicable, emergency response and safety training for all workers, and require remote monitoring, gas detection and local exhaust ventilation in defined operations. The amendment also codifies a prohibition on sand blasting using free silica and takes effect on publication in the Official Gazette.

1.4.         Centre amends EPS for Employees’ Enrolment Campaign, 2025 damages relief

Ministry of Labour and Employment notified the Employees’ Pension (Amendment) Scheme, 2025 under Section 6A read with Section 7(1) of the Employees’ Provident Funds and Miscellaneous Provisions Act, 1952 (EPF&MP Act), inserting paragraph 43C into the Employees’ Pension Scheme, 1995 (EPS). It creates a special regime for the Employees’ Enrolment Campaign, 2025 (“EEC”) covering employees whose membership has been declared under paragraph 82B of the Employees’ Provident Funds Scheme, 1952 (“EPF Scheme”). For valid EEC declarations, damages for defaults between July 1, 2017 and October 31, 2025 are fixed at INR 100 (Indian Rupees One Hundred only) as a lump sum, and payment of INR 100 (Indian Rupees One Hundred only) under EEC special provisions in any one of the 3 (three) schemes, the EPF Scheme, the Employees’ Deposit Linked Insurance Scheme, 1976 (EDLI Scheme), or the EPS, will be treated as compliance. The amendment takes effect on November 1, 2025, and will cease to operate on April 30, 2026.

2.             Stamp Duty

2.1.      Goa authorises NeSL as SHCIL’s online stamp-duty collection centre for non-registrable documents

Department of Revenue, Government of Goa, authorised the Stock Holding Corporation of India Limited (SHCIL) to appoint National E-governance Service Limited (NeSL) as its Authorised Collection Centre for online payment of stamp duty for non-registrable documents under Schedule I to the Indian Stamp Act, 1899. The order covers instruments including acknowledgements, affidavits, loan or security agreements, deposit of title deeds, bonds, debentures, further charge on movable property, indemnity bonds, leases below 1 (one) year, bank guarantees or letters of credit, letters of licence, mortgages with respect to movable property, powers of attorney relating to movable property, reconveyance of mortgage, respondentia bonds, security bonds and awards.

3.             Stock Exchange

3.1.         NSE reiterates prior-instruction requirement for IPO bid placement

National Stock Exchange of India (“NSE”) reminded Trading Members to obtain prior client instructions, in physical or electronic form, before uploading initial public offering (IPO) bids on the exchange platform. The circular cites Securities and Exchange Board of India (SEBI) directions requiring investors to submit complete bid-cum-application forms to designated intermediaries, mandatory acknowledgements to investors, retention of physical forms for 6 (six) months for Unified Payments Interface (UPI) applications with subsequent forwarding to the issuer or registrar, and maintenance of electronic records for 3 (three) years without printouts. NSE noted inspections found bids placed without such instructions and reiterated strict compliance.

3.2.         NSDL standardises penalty review and appeal; sets fee and timeline

National Securities Depository Limited (“NSDL”) issued a circular on review, appeal or waiver of penalties arising from actions by the Member Committee (“MC”). Requests against actions of the Internal Committee (IC) or the Market Infrastructure Institution (MII) under a pre-approved policy will be placed before the MC. Requests against MC decisions taken in meetings after September 19, 2025 will be handled by a Member Appellate Committee (MAC) formed by the MII’s Governing Board and comprising Public Interest Directors and/or Independent External Professionals not on the MC. Constituents must file within 45 (forty-five) working days of the penalty communication with complete documents, pay a non-refundable fee of INR 10,000 (Indian Rupees Ten Thousand only) plus Goods and Services Tax (GST) credited to the Investor Protection Fund Trust of NSDL, and email submissions to [nsdl-bp-inspection@nsdl.com]. NSDL will place the request before the MC or MAC and communicate decisions, and further appeal may be made to the appropriate authority as permitted by law.

3.3.         NSDL to suspend demat accounts flagged by KRAs for invalid KYC

NSDL ordered suspension of demat accounts of existing clients whose Know Your Customer (“KYC”) records are found invalid by KYC Registration Agencies (“KRAs”) after validation. Based on KRA data of October 6, 2025, covering Permanent Account Number (“PAN”) updates during September 1–30, 2025, NSDL has identified Depository Participant (“DP”)-wise accounts and posted the list on the e-PASS portal under “Non-Complied KYC KRA Accounts”. NSDL will suspend these accounts for debit and credit on November 1, 2025, and has directed DPs to notify affected clients. A prior batch linked to August 2025 PAN updates was suspended on September 27, 2025.

3.4.         CDSL adds “Overdue – Insufficient Stamp Duty” status for off-market and pledge-invocation transactions

Central Depository Services (India) Limited (“CDSL”) introduced a new transaction status, “Overdue – Insufficient Stamp Duty,” for off-market transactions and invocation of normal pledge transactions, applicable when the stamp-duty balance is insufficient in the Beneficial Owner (BO) or DP account at execution. CDSL will verify balances until End of Day (EOD); transactions will settle if funds are made available within this window or be cancelled during EOD processing if not. The DP37 report will reflect status code “Z – Overdue – Insufficient Stamp Duty,” while the DP97 report will use status “SDPO (Stamp Duty Payment Overdue)” and transaction code “ODISD (Overdue – Insufficient Stamp Duty).” The release is targeted for October 31, 2025.

3.5.        CDSL introduces DPT9 report to expedite closure of “To be closed” demat accounts

CDSL announced a new “DPT9” report, “To be Closed BO with Free Balance,” to help DPs close demat accounts marked “To be closed” once International Securities Identification Numbers (ISINs) are activated or free balances appear. The report will be generated at End of Day (EOD) for such accounts and downloaded via the Reports module using Module ID 11 (eleven) and Report ID DPT9. CDSL reiterated that DPs must promptly transfer available ISINs to the target demat account and close the source account per operating instructions, and asked participants to implement back-office changes before a tentative live release on October 31, 2025, EOD.

3.6.         BSE revises Unique Client Code categories to distinguish NRE and NRO

BSE Limited (BSE) announced changes to the Unique Client Code (“UCC”) database to improve identification of non-resident clients, effective November 22, 2025. The existing Non-Resident Indian (NRI) client category will be treated as Non-Resident External (“NRE”), and a separate Non-Resident Ordinary (NRO) category will be introduced. Trading Members must update client records in the UCC. No change is required where a UCC already exists for an NRE account.

4.             Information Technology

4.1.         CERT-In flags high-severity RCE in Microsoft Edge (Chromium)

Indian Computer Emergency Response Team (“CERT-In”) issued Vulnerability Note CIVN-2025-0281 warning of a high-severity remote code execution (RCE) flaw in Microsoft Edge (Chromium-based) versions prior to 141.0.3537.85. The vulnerability stems from a use-after-free in Safe Browsing and can be triggered by a specially crafted request, risking arbitrary code execution and full system compromise. CERT-In advises all organisations and individuals using affected builds to apply the vendor’s security update without delay as per Microsoft’s release notes.

4.2.         CERT-In issues critical alert on WSUS remote code execution flaw

CERT-In issued vulnerability note CIVN-2025-0282 on a Critical remote code execution flaw in Windows Server Update Service (WSUS) affecting multiple Windows Server versions. The weakness stems from improper deserialisation of untrusted data in WSUS web services, allowing an unauthenticated remote attacker to execute arbitrary code via specially crafted Hypertext Transfer Protocol (HTTP) requests, with risks of privilege escalation, malicious update distribution, full system takeover, sensitive information disclosure, and service disruption. CERT-In reported active exploitation under the Common Vulnerabilities and Exposures (CVE) identifier CVE-2025-59287 and advised disabling the WSUS Server Role and blocking inbound traffic to ports 8,530 (eight thousand five hundred and thirty) and 8,531 (eight thousand five hundred and thirty-one) on the host firewall.

4.3.         CERT-In issues high-risk alert for Red Hat JBoss vulnerabilities

On October 29, 2025, the Computer Emergency Response Team – India (CERT-In) issued Vulnerability Note CIVN-2025-0283 on multiple flaws in Red Hat JBoss Core Services that could enable Denial of Service (DoS) and potentially remote code execution (RCE). The weaknesses include use-after-free, NULL pointer dereference during Extensible Markup Language (XML) XPath processing, type confusion, integer overflow in xmlbuildqname(), and out-of-memory conditions in the XML parser. Successful exploitation via specially crafted requests may lead to unauthorised access, service disruption, or system unavailability. CERT-In rates the severity as High and advises applying Red Hat’s fixes referenced in RHSA-2025:19020.

4.4.         CERT-In issues high-severity alert on Firefox use-after-free flaw

CERT-In issued Vulnerability Note CIVN-2025-0284 on a High-severity use-after-free vulnerability in Mozilla Firefox versions prior to 144.0.2 that could let a remote attacker execute arbitrary code or cause denial of service (DoS). The flaw resides in WebGPU internals and can be triggered from a compromised child process using a specially crafted Hypertext Transfer Protocol (HTTP) request, creating a high risk of unauthorised access to sensitive data and potential system compromise for all end-user organisations and individuals using Mozilla products.

4.5.         CERT-In warns of multiple high-severity vulnerabilities in Apache Tomcat

CERT-In issued Vulnerability Note CIVN-2025-0285 on flaws affecting Apache Tomcat versions 11.0.0-M1 to 11.0.10, 10.1.0-M1 to 10.1.43, and 9.0.0-M11 to 9.0.108. The weaknesses stem from failure to escape American National Standards Institute (ANSI) escape sequences in log messages and a regression introduced while fixing a prior bug, where a rewritten Uniform Resource Locator (URL) was normalised before decoding. Exploitation could enable remote code execution (RCE), denial of service (DoS) and sensitive information disclosure under specific configurations. CERT-In advises administrators and maintainers to apply the vendor’s fixes without delay.

4.6.         CERT-In issues critical advisory on Palo Alto Networks Expedition vulnerabilities

CERT-In issued Vulnerability Note CIVN-2025-0286 on multiple critical flaws in Palo Alto Networks Expedition versions prior to 1.2.96. The issues include command injection enabling remote execution of operating system (OS) commands, Structured Query Language (SQL) injection exposing database contents, and cross-site scripting (XSS). Attackers could read or write files on the Expedition host, extract usernames, cleartext passwords, device configurations and application programming interface (API) keys for Palo Alto Networks Operating System (PAN-OS) firewalls, and hijack authenticated browser sessions. CERT-In flags critical risks to confidentiality, integrity and availability and warns of unauthorised access and data manipulation.

4.7.         CERT-In flags high-risk GitLab vulnerabilities enabling security bypass and DoS

CERT-In issued Vulnerability Note CIVN-2025-0287 on multiple flaws in GitLab versions prior to 18.5.1, 18.4.3 and 18.3.5 affecting Community Edition (CE) and Enterprise Edition (EE). The weaknesses could allow a remote attacker to bypass security restrictions, cause Denial of Service (DoS), or compromise system integrity. Issues include improper access control in the runner Application Programming Interface (API), incorrect authorisation in pipeline builds, missing authorisation in quick actions, a business-logic error in group memberships, and DoS issues in upload, event collection and JavaScript Object Notation (JSON) validation. CERT-In rates the severity as High and warns of risks including data theft, privilege escalation and service unavailability.

4.8.         CERT-In warns of multiple Google Chrome for Desktop vulnerabilities

CERT-In issued Vulnerability Note CIVN-2025-0288 on multiple High-severity flaws in Google Chrome for Desktop affecting versions prior to 142.0.7444.59 on Linux and 142.0.7444.59/60 on Windows and macOS. The weaknesses span the V8 engine and components such as Extensions, Autofill, Media, Storage, Omnibox, Fullscreen UI, SplitView and WebXR, and could enable remote code execution, privilege escalation, security bypass, spoofing or Denial of Service (DoS) through specially crafted web pages. CERT-In flags risks of system compromise, data theft and service disruption, and advises users and organisations to update to patched releases.

4.9.         CERT-In warns of multiple high-risk vulnerabilities in Atlassian products

CERT-In issued advisory CIAD-2025-0040 on multiple high-risk vulnerabilities affecting Atlassian Bamboo Data Center and Server, Fisheye/Crucible, Jira Data Center and Server, and Jira Service Management Data Center and Server. The flaws could enable path traversal with arbitrary write, Hypertext Transfer Protocol (HTTP) request smuggling, Simple Mail Transfer Protocol (SMTP) injection, or trigger Denial of Service (DoS), creating risks of unauthorised access, sensitive information disclosure, resource exhaustion, session hijacking, service disruption, or system compromise. CERT-In rates the severity as High and identifies users of these products as the target audience.

5.             Tax

5.1.         GSTN to bar filing of GST returns pending beyond three years

Goods and Services Tax Network (GSTN) advised that, under the Finance Act, 2023 and Central Tax Notification No. 28/2023 effective October 1, 2023, the GST portal will enforce the bar on filing Goods and Services Tax return (GSTR) forms after 3 (three) years from their due date under Sections 37, 39, 44 and 52 of the Central Goods and Services Tax Act, 2017. From the November 2025 tax period, returns whose due dates are 3 (three) years old or more will be blocked, with blocking reflected from December 1, 2025; examples include GSTR-1/Invoice Furnishing Facility (IFF) for October 2022, GSTR-3B for October 2022, and GSTR-9/9C for Financial Year (FY) 2020–21. Taxpayers have been urged to reconcile records and file any pending returns before the cut-off.

5.2.         CBDT extends AY 2025–26 return filing and audit report deadlines

Central Board of Direct Taxes (CBDT) extended the due date for furnishing the Return of Income under Section 139(1) of the Income Tax Act, 1961 for Assessment Year (AY) 2025–26 for assessees covered by clause (a) of Explanation 2 to Section 139(1) from October 31, 2025 to December 10, 2025, and also moved the “specified date” for furnishing the audit report for Previous Year 2024–25 (AY 2025–26) from October 31, 2025 to November 10, 2025, with a formal order or notification to follow.

Disclaimer

The note is prepared for knowledge dissemination and does not constitute legal, financial or commercial advice. AK & Partners or its associates are not responsible for any action taken based on its contents.

For further queries or details, you may contact:

Mr Anuroop Omkar

Founding Partner, AK & Partners

info@akandpartners.in