AKP Corporate & Compliance Digest November 17, 2025

We are delighted to share this week's AKP Corporate & Compliance Weekly Digest. Please feel free to write to us with your feedback at info@akandpartners.in.

1.             Labour Law

1.1.      Uttar Pradesh extends shops and establishments law to all districts under UP Dookan Aur Vanijya Adhishthan Adhiniyam, 1962

Uttar Pradesh cabinet has approved an amendment to the Uttar Pradesh Dookan Aur Vanijya Adhishthan Adhiniyam, 1962, extending its coverage from selected urban areas to the entire state, so that shops and commercial establishments in all districts, including rural regions, are now brought within the statute. The amended framework will apply to establishments employing 20 (twenty) or more workers, balancing reduced compliance for smaller units with full statutory benefits for larger workplaces. The state has also expanded the Act’s scope to cover clinics, polyclinics, maternity homes, architects, tax and technical consultants, service providers and digital service platforms, meaning more white-collar and service-sector employees gain access to regulated working conditions, hours and leave entitlements under state labour law.

2.             Stamp Duty

2.1.         UP clears stamp duty concessions for rental lease agreements

The Uttar Pradesh Cabinet has approved a proposal to offer significant concessions in stamp duty and registration fees on lease agreements of up to 10 (ten) years, to encourage formal registration of rent agreements under the Uttar Pradesh Regulation of Urban Premises Tenancy Act, 2021. Under the new slabs, combined stamp duty and registration charges are capped based on tenure and average annual rent, with total levies broadly ranging from around INR 500 (Indian Rupees Five Hundred only) for short one-year leases on low-rent properties to about INR 10,000 (Indian Rupees Ten Thousand only) for leases up to 10 (ten) years, where the average annual rent does not exceed INR 10,00,000 (Indian Rupees Ten Lakhs only). The state has also fixed a ceiling of INR 10,00,000 (Indian Rupees Ten Lakhs only) on the average annual rent considered for these concessions and excluded toll and mining related leases from the benefit, signalling that the measure targets ordinary rental housing and commercial premises rather than infrastructure contracts. Officials have said the change is meant to counter the widespread practice of keeping tenancy arrangements oral or unregistered due to high stamp costs, which often leads to disputes and recovery actions when such agreements are challenged in audits or litigation.

2.2.         Maharashtra makes monthly scrutiny of stamp duty waivers mandatory

In the wake of the Mundhwa land deal controversy in Pune, the Maharashtra Department of Registration and Stamps has ordered that all sub-registrar offices must, by the 5th (fifth) of each month, forward copies of the previous month’s registered documents where any stamp duty exemption or concession was granted to the stamp duty collector for review. Under this mechanism, stamp duty collectors are required to scrutinise these files by the 10th (tenth) of the month, verify that waivers or concessions were granted strictly in line with government rules, and initiate corrective action wherever discrepancies are detected. The order is explicitly linked to allegations that stamp duty of about INR 21,00,00,000 (Indian Rupees Twenty-One Crore only) was improperly waived on a land sale of roughly INR 3,00,00,00,000 (Indian Rupees Three Hundred Crore only) involving Amadea Enterprises Limited Liability Partnership (LLP), associated with Deputy Chief Minister Ajit Pawar’s son Parth Pawar, and it is intended to prevent similar misuse of concession notifications. The directive effectively makes periodic centralised scrutiny of all stamp duty waivers compulsory across Maharashtra, raising compliance and enforcement risk for high-value property transactions that rely on concessional rates.

3.             Stock Exchanges

3.1.         NSE sets CSCRF-based cyber audit timelines for trading members

National Stock Exchange of India Limited (“NSE”) has issued an Inspection Department circular dated November 10, 2025, on Cyber Security and Cyber Resilience Audit of Trading Members, implementing the Securities and Exchange Board of India (“SEBI”) Cyber Security and Cyber Resilience Framework (“CSCRF”) for Regulated Entities (“REs”). For qualified and mid-size REs and small-size REs that provide Internet-Based Trading (IBT) or algorithmic trading, the circular mandates half-yearly cyber audits for the period ending September 30, 2025, with the audit to be carried out by a Computer Emergency Response Team-India (“CERT-In”) empanelled auditor and submitted to the Exchange after approval by the entity’s Information Technology (IT) Committee by December 31, 2025, followed by an Action Taken Report (ATR) or revalidation report by March 31, 2026. It reiterates that audits must cover 100 per cent (one hundred per cent) of critical systems and 25 per cent (twenty-five per cent) of non-critical systems on a documented sample basis, that entities with multiple SEBI registrations must categorise themselves in line with CSCRF and have that categorisation approved by their Board or designated senior management, and that auditors must follow the Comprehensive Cyber Security Audit Policy Guidelines issued by CERT-In while providing control-wise compliance status and justifications for any non-applicable items. The circular encloses updated formats for cyber audit reports, executive summaries, auditor declarations and Terms of Reference (TOR), and prescribes graded monetary and disciplinary consequences for delayed submission of reports or non-closure of audit observations, including possible restrictions on new client onboarding and trading disablement in cases of persistent non-compliance.

3.2.         BSE notifies members of FATF October 2025 high-risk jurisdiction statements

BSE Limited (“BSE”) has issued a compliance notice dated November 10, 2025, informing its members that SEBI has circulated the latest public statements released by the Financial Action Task Force (“FATF”) following its October 2025 Plenary on jurisdictions subject to “call for action” and “increased monitoring”.  The notice highlights that no new jurisdiction has been added to the “increased monitoring” list in this cycle and that Burkina Faso, Mozambique, Nigeria and South Africa are no longer subject to FATF increased monitoring, and advises members to review the updated FATF lists via the provided links and take necessary actions to ensure ongoing compliance with anti-money laundering and countering financing of terrorism (AML/CFT) requirements.

3.3.         CDSL introduces new market type for Liquidity Window settlements

Central Depository Services (India) Limited (“CDSL”) has issued a communiqué dated November 12, 2025 creating a new Market Type 59 (fifty-nine) in its depository system to process settlement transactions arising from the Liquidity Window facility for debt securities introduced by the Securities and Exchange Board of India (SEBI) via circular SEBI/HO/DDHS/DDHS-PoD-1/P/CIR/2024/141 dated October 16, 2024. The new market type will be used for settlements routed through BSE and its Indian Clearing Corporation Limited (ICCL), and NSE and its NSE Clearing Limited (NCL), and is to be selected by Depository Participants (“DPs”), Clearing Members (CMs), Trading Members (TMs) and their trading clients for Early Pay-in (EP) transactions executed through WebCDAS and/or Easiest.

3.4.         CDSL to freeze demat accounts with non-validated KYC PANs

CDSL has issued a communiqué dated November 13, 2025 directing its DPs to identify and follow up with Beneficial Owners (BOs) whose dematerialised (“demat”) accounts are linked to Permanent Account Numbers (“PANs”) that Know Your Customer (“KYC”) Registration Agencies (“KRAs”) have classified as non-validated, and to prepare for system freezing of such accounts. Building on an earlier communiqué issued on October 15, 2025, CDSL informs DPs that demat accounts mapped to non-validated PANs, based on KRA data updated to October 31, 2025 and shared through DP-wise billing folders, will be frozen for both debit and credit using freeze reason code 27 (twenty-seven) – “Account holder related–KYC non-compliant” with effect from Saturday, November 29, 2025, using KRA data updated as on November 27, 2025. For unfreezing, DPs must follow the demat unfreezing procedure set out in a communiqué dated September 5, 2023, and are advised to proactively engage with affected clients to regularise their KYC records and ensure ongoing compliance.

3.5.         CDSL postpones go-live of new RDG Transfer transaction type

CDSL has issued a communiqué dated November 14, 2025 informing DPs that the live release of the new “RDG Transfer” transaction type, intended to enable seamless transfers of Government securities between demat accounts and Retail Direct Gilt (RDG) accounts, has been postponed from its earlier scheduled go-live on November 14, 2025 as announced in a previous communiqué dated November 7, 2025. DPs are advised to continue their readiness activities, await communication of a revised implementation date in due course, and route any queries on the postponement to the CDSL helpdesk through the specified e-mail and telephone contact points.

3.6.         BSE to block trading for clients with ‘On Hold’ KYC from November 22, 2025

BSE has issued a compliance notice dated November 11, 2025 to all trading members on guidelines under the SEBI KRA Regulations, 2011, reiterating that, pursuant to SEBI circulars on simplification of KYC and the centralised mechanism for reporting the demise of investors, all regulated entities must block debit transactions and suspend all activity in accounts where an investor is reported deceased and close or inactivate the unique client code (UCC) across stock exchanges. The notice further states that clients whose KYC records, whether Aadhaar or non-Aadhaar based officially valid documents, remain “On Hold” and unvalidated with KRAs for records uploaded between October 1, 2025 and October 31, 2025 will not be permitted to trade or even square off open positions on the Exchange with effect from November 22, 2025, with such positions only expiring naturally on contract expiry, until validation requirements are satisfied and the corresponding PANs are reclassified as compliant on a T+1 (T plus one) basis.

4.             Information Technology

4.1.         CERT-In flags high-severity vulnerabilities across SAP products

CERT-In issued a High severity advisory on November 12, 2025, about multiple vulnerabilities in Systems Applications and Products in Data Processing (SAP) software across components such as NetWeaver, Solution Manager and Fiori. The flaws may allow sensitive data disclosure, arbitrary code execution, privilege escalation, denial of service, cache poisoning and malicious file upload, creating risk of data breach and full system compromise. The advisory targets SAP administrators, security teams and application developers, and calls for rapid mitigation through vendor patches and configuration hardening.

4.2.         CERT-In issues critical advisory on multiple Adobe product flaws

CERT-In on November 12, 2025, issued a Critical severity note on multiple vulnerabilities affecting Adobe products, including Illustrator and Photoshop, that could let attackers bypass security restrictions, execute arbitrary code, and access sensitive information. The issues stem from memory-safety and authorisation flaws such as heap-based buffer overflow, out-of-bounds read/write, use-after-free, integer underflow, and incorrect authorisation. System administrators and security teams are advised to apply vendor patches promptly and harden configurations to mitigate risks of data theft, remote code execution, and full system compromise.

4.3.         CERT-In issues high-severity advisory on GitHub Enterprise Server

CERT-In on November 12, 2025, warned of multiple vulnerabilities in GitHub Enterprise Server (GHES) affecting versions prior to 3.18.1, 3.17.0–3.17.6, 3.16.0–3.16.9, 3.15.0–3.15.13, and 3.14.0–3.14.18. The flaws, caused by improper input validation and insufficient sanitisation, may enable arbitrary code execution and DOM-based cross-site scripting, leading to privilege escalation, session hijacking, account takeover, and full system compromise; a related Redis issue could allow an authenticated user to run a crafted Lua script. Administrators are advised to apply vendor patches promptly and harden configurations.

4.4.         CERT-In flags high-severity vulnerabilities in Mozilla Firefox and ESR

CERT-In on November 12, 2025, issued a High severity advisory on multiple flaws affecting Mozilla Firefox versions prior to 145 and Firefox Extended Support Release (ESR) prior to 140.5 and 115.30. The weaknesses include race conditions in Graphics, mitigation bypass in the Document Object Model (DOM), use-after-free in Audio/Video, WebRTC issues, spoofing, incorrect boundary conditions, and memory-safety bugs that could enable arbitrary code execution, data theft, and complete system compromise. CERT-In advises affected users and organisations to apply vendor updates and harden configurations promptly.

4.5.         CERT-In highlights vulnerabilities in Drupal authentication and form modules

CERT-In issued a Medium severity advisory on November 13, 2025 on multiple vulnerabilities in the Email Two-Factor Authentication (TFA) and Simple multi step form modules of the Drupal content management system, affecting versions prior to 2.0.6 and 2.0.0 respectively. The flaws arise from inconsistent enforcement of TFA checks across different login mechanisms and improper validation of user input in form configuration. An attacker could bypass two-factor authentication via an unprotected login path or inject malicious scripts into system configuration, enabling cross-site scripting (XSS). These issues create a high risk of unauthorised access to sensitive data, data theft, and wider system compromise, and users of affected Drupal modules are advised to apply vendor fixes promptly.

4.6.         CERT-In issues critical alert on Red Hat JBoss web server flaws

CERT-In on November 13, 2025, issued a Critical severity Vulnerability Note on multiple flaws in Red Hat JBoss Enterprise Web Server running on Red Hat Enterprise Linux (RHEL) 8 (eight), 9 (nine) and 10 (ten) x86_64, including Text-Only Advisories builds. The vulnerabilities arise from improper neutralisation of escape, meta, or control sequences and can be exploited by a remote attacker sending specially crafted requests to bypass security restrictions, execute arbitrary code, escalate privileges, and potentially cause service disruption or compromise sensitive data. CERT-In urges large enterprises and organisations using affected Red Hat JBoss deployments to apply vendor patches and harden configurations on priority.

4.7.         CERT-In flags high-severity vulnerabilities across Microsoft products

CERT-In has issued Advisory CIAD-2025-0043 on November 13, 2025 warning of multiple high-severity vulnerabilities across Microsoft products including Windows, Microsoft Office, SQL Server, Extended Security Updates (ESU), developer tools, Microsoft Dynamics, open-source software, System Center, Azure and Nuance PowerScribe. The flaws could allow attackers to gain elevated privileges, obtain sensitive information, bypass security restrictions, execute remote code, conduct spoofing attacks or cause denial-of-service conditions on affected systems, leading to potential system compromise, data exfiltration, ransomware attacks or system crashes. CERT-In highlights a specific privilege-escalation vulnerability in the Windows kernel (CVE-2025-62215), caused by improper synchronisation and memory management that creates a double-free condition and is already being exploited in the wild, and urges individuals, IT administrators and security teams responsible for Microsoft environments to prioritise patching and mitigation.

4.8.         CERT-In warns of remote code execution flaw in Microsoft Graphics Component

CERT-In has issued Vulnerability Note CIVN-2025-0320 dated November 14, 2025 describing a high-severity remote code execution vulnerability in Microsoft Graphic Components (GDI+) used across multiple versions of Windows Server, Windows 10, Windows 11, Microsoft Office (including Microsoft Office LTSC for Mac 2021 and 2024) and Microsoft Office for Android. The advisory explains that Microsoft Graphics Components are core system libraries for rendering visual content and that a heap-based buffer overflow in these components could allow an attacker to execute arbitrary code or obtain sensitive information by persuading a user to download and open a specially crafted document or metafile, resulting in a high risk of unauthorised access to data and full system compromise. CERT-In identifies all organisations and individual users relying on Microsoft Graphic Components across Windows environments as the target audience and urges them to apply vendor patches and mitigations on priority to address the remote code execution risk.

4.9.         CERT-In warns of high-risk flaws in QNAP QTS/QuTS hero

CERT-In on November 11, 2025, issued a High severity note on multiple vulnerabilities in QNAP’s QTS and QuTS hero operating systems. Affected builds prior to 5.2.7.3297 and h5.3.1.3292 may allow remote code execution and privilege escalation, leading to full system compromise. The issues arise from improper input validation and inadequate access control. Organisations and individuals using QNAP Network Attached Storage (NAS) and related products are urged to apply vendor patches and harden configurations immediately.

5.             Finance

5.1.         DFS launches unified startup loan application journey on Jan Samarth Portal

Department of Financial Services (DFS) in the Ministry of Finance (MoF) has launched the Startup Common Application Journey on the Jan Samarth Portal in New Delhi on November 12, 2025, providing a single digital platform through which startups can apply for loans, compare offers and track applications across Public Sector Banks (PSBs). The journey, developed by the Indian Banks’ Association (IBA) in collaboration with PSB Alliance, is backed by a Model Loan Scheme offering credit of up to INR 20,00,00,000 (Indian Rupees Twenty Crore only) under the Credit Guarantee Scheme for Startups (CGSS) operated by the National Credit Guarantee Trustee Company (NCGTC) under the Department for Promotion of Industry and Internal Trade (DPIIT), and integrates datasets such as PANs, Goods and Services Tax (GST), Udyam registration, Income Tax Returns (ITRs) and credit bureau information to speed up processing and enhance transparency. The initiative aims to build a collaborative, technology-driven lending ecosystem for startups, including interest concessions for women entrepreneurs, and is positioned as part of the Government of India’s broader vision of “Viksit Bharat 2047”.

Disclaimer

The note is prepared for knowledge dissemination and does not constitute legal, financial or commercial advice. AK & Partners or its associates are not responsible for any action taken based on its contents.

For further queries or details, you may contact:

Mr Anuroop Omkar

Founding Partner, AK & Partners

info@akandpartners.in