AKP Corporate & Compliance Digest October 21, 2025

We are delighted to share this week's AKP Corporate & Compliance Weekly Digest. Please feel free to write to us with your feedback at info@akandpartners.in.

1.  Labour Law

1.1.  EPFO extends ECR filing window for September wage month

The Employees’ Provident Fund Organisation (“EPFO”) extended the due date to file the new Electronic Challan-cum-Return (“ECR”) for the September 2025 wage month to October 22, 2025, citing employer requests to adapt to the revamped system; EPFO said the upgrade simplifies return filing via the employer portal and improves data accuracy, sequential return validation and compliance, and it is running nationwide outreach with industry stakeholders and regional workshops to support a smooth transition.

1.2. Delhi issues revised VDA with effect from October 01, 2025

Government of National Capital of Delhi issued a notification on October 13, 2025, revising Dearness Allowance components in the state minimum wages for the period October 1, 2025, to March 31, 2026, under the Minimum Wages Act, 1948; employers in Delhi should apply the new rates in wage calculations for all scheduled categories.

i) Minimum Wages for Unskilled, Semi-Skilled, and Skilled Categories

(effective October 1, 2025) 

1.3.  Ministry of Labour and Employment launches EES 2025 to expand EPFO coverage

The Ministry of Labour and Employment (MoLE) announced the Employees’ Enrolment Scheme, 2025 (“EES 2025”) to regularise past coverage under the Employees’ Provident Fund Organisation (EPFO). The scheme will be operational from November 1, 2025, to April 30, 2026. Employers may voluntarily declare and enrol eligible workers who joined between July 1, 2017, and October 31, 2025, but were not earlier enrolled. The employee’s past provident-fund share will be waived if it was not deducted from wages, and only the employer’s share will be payable. Nominal penal damages have been fixed at INR 100 (Indian Rupees One Hundred only). Eligibility under the scheme will be irrespective of any ongoing proceedings under Section 7A of the Employees’ Provident Funds and Miscellaneous Provisions Act, 1952, paragraph 26B of the Employees’ Provident Fund Scheme, 1952, or paragraph 8 of the Employees’ Pension Scheme, 1995. No suo motu compliance action will be taken against employees covered by the declaration, including those who have left employment as of the declaration date. Filing under the scheme will be available online through the ECR system. Those registered or declaring under EES 2025 will also be eligible for benefits under the Pradhan Mantri Viksit Bharat Rojgar Yojana, subject to applicable terms and conditions.

2. Stamp Duty

2.1. Delhi orders strict Section 47-A compliance to curb undervaluation

The Revenue Department of the National Capital Territory of Delhi (NCTD) issued a Circular on October 13, 2025, directing all Sub-Registrars and Joint Sub-Registrars to implement Delhi High Court (DHC) directions in writ petition WP(C) 3591/2014 and ensure strict compliance with Section 47-A of the Indian Stamp Act, 1899 (ISA) for market-value assessment and recovery of any stamp duty deficiency in residential property registrations.

3.  Stock Exchanges

3.1.  NSE escalates penalties for repeated net worth shortfalls

National Stock Exchange (“NSE”) tightened enforcement of minimum net worth norms for clearing members prescribed under Securities and Exchange Board of India (“SEBI”) Gazette Notification No. SEBI/LAD-NRO/GN/2022/73 by levying a penalty of INR 50,000 (Indian Rupees Fifty Thousand only) on the first instance of reporting shortfall, a 50 per cent (fifty per cent) escalation on the second instance, a 100 per cent (one hundred per cent) escalation on the third, and referral of the fourth instance to the Member Committee (MC), in addition to deposit blocking under the May 8, 2025 circular; applicable with immediate effect to all Clearing Members, Self-Clearing Members and Professional Clearing Members.

3.2. NSE tightens System Audit

NSE has mandated Type-III system audits for Trading Members for the April–September 2025 half-year with an audit plan due by November 7, 2025, a preliminary report by November 30, 2025, and an Action Taken Report (“ATR”) by February 28, 2026; only exchange-empanelled auditors may be appointed, physical visits must capture geo-location, and submission is contingent on filing an Algorithmic-trading Management Information System (“Algo MIS”), Version Confirmation and Assessment Details, with Qualified Stock Broker (“QSB”) reports requiring Governing Board and Standing Committee on Technology (SCOT) approval; penalties include per-day charges for delay that scale from INR 1,500 (Indian Rupees One Thousand Five Hundred only) for non-QSBs and INR 3,000 (Indian Rupees Three Thousand only) for QSBs in the first 7 (seven) days to INR 2,500 (Indian Rupees Two Thousand Five Hundred only) and INR 5,000 (Indian Rupees Five Thousand only) for days 8–21 (eight to twenty-one), potential trading disablement after 28 (twenty-eight) days, and additional non-closure fines per observation of up to INR 30,000 (Indian Rupees Thirty Thousand only) for high-risk items.

3.3.  BSE to block trading for KRA-unvalidated clients; deceased PANs actioned

Bombay Stock Exchange Limited (“BSE”) directed members under SEBI Know Your Client (“KYC”) and KYC Registration Agency (“KRA”) rules to block debit transactions and inactivate or close the Unique Client Code (UCC) for Permanent Account Numbers (“PANs”) flagged as deceased via the centralised reporting mechanism, and announced that clients whose KYC uploaded between September 1, 2025 and September 30, 2025 are not validated by KRAs will be marked “Not Permitted to Trade” from October 25, 2025 and, effective October 27, 2025, cannot trade or square off open positions until validation, with positions expiring naturally; once a PAN is validated, trading resumes on T+1 (T plus one) based on KRA data flows.

3.4. BSE mandates empanelled system audits with geo-tagged visits and strict timelines

BSE ordered Trading Members (TMs) to complete the half-yearly system audit for April–September 2025 using only Exchange-empanelled auditors, file an audit plan via the BSE Electronic Filing System (BEFS), and submit a preliminary audit report by November 30, 2025 and an ATR by February 28, 2026; auditors must capture geo-location during on-site visits via the Exchange portal using member connectivity, preserve working papers for 3 (three) years, and file an Assessment Detail Report, while members must submit Algo MIS checks against 38 (thirty-eight) controls and a Version Compliance Confirmation, with QSBs requiring Governing Board and Standing Committee on Technology (SCOT) approvals; penalties for non-compliance are specified in Annexure D and the Exchange will accept only empanelled-auditor reports.

3.5. NSDL updates off-market transfer validations for ETF creation

National Securities Depository Limited (“NSDL”) issued a Participant Services Circular revising validation for off-market reason code 30—transfer of constituent shares for creation of Exchange-Traded Fund (ETF) units—so such transfers are permitted only when either the source or target demat account is of Type “Mutual Fund”, with the change live from end of day October 10, 2025; Participants must align back-office systems, disseminate the update to clients, and reinforce correct reason-code selection, while Annexure A restates validations for other codes and the circular reiterates forthcoming compliance timelines, including the Investor Grievance Report by the 10 (ten), net-worth certificate and audited financial statements by October 31 (thirty-one), the cyber security and cyber resilience quarterly filing by the 15 (fifteen), and half-yearly Risk-Based Supervision submissions by October 31 (thirty-one).

3.6. NSE mandates TRAI TCCCPR-compliant communications for clearing members

NSE directed clearing members to comply with the Telecom Regulatory Authority of India (“TRAI”) amendments to the Telecom Commercial Communications Customer Preference Regulations, 2018 (TCCCPR, 2018) to curb Unsolicited Commercial Communication (UCC), including whitelisting Uniform Resource Locators (URLs) and Android Application Packages (APKs), using the 1600 series for service and transactional calls, avoiding normal 10-digit numbers for any commercial communication, employing Session Initiation Protocol/Primary Rate Interface (SIP/PRI) only in line with TCCCPR, cooperating with the Indian Cybercrime Coordination Centre (I4C) and TRAI on reporting, and strengthening internal controls over registered headers and content templates.

4.  Information Technology

4.1. CERT-In warns of Critical Adobe product vulnerabilities

Indian Computer Emergency Response Team (“CERT-In”) issued Advisory CIAD-2025-0036 on multiple flaws across Adobe Commerce, Magento Open Source, Creative Cloud Desktop, Bridge, InDesign, Animate, Adobe Experience Manager (AEM), Substance 3D apps, FrameMaker, Illustrator, Dimension and others that permit remote code execution, security bypass, privilege escalation, sensitive-information disclosure, or Denial-of-Service (“DoS”); issues include improper access control and authorisation, time-of-check to time-of-use errors, heap and stack buffer overflows, use-after-free, and out-of-bounds reads or writes, with immediate vendor patching advised via Adobe’s security bulletins.

4.2. CERT-In warns of High-severity flaws in Juniper Networks

CERT-In issued Advisory CIAD-2025-0038 on multiple vulnerabilities in Juniper Networks’ Junos OS, Junos OS Evolved, Junos Space and Junos Space Security Director that may enable security-restriction bypass, Remote Code Execution (RCE), elevation of privilege, information disclosure, DoS and Cross-Site Scripting (XSS); risk is High with potential for unauthorised access and service disruption, and administrators should apply the vendor’s security updates without delay.

4.3.  CERT-In flags High-severity flaws across Fortinet products

CERT-In issued Vulnerability Note CIVN-2025-0271 warning that multiple vulnerabilities across Fortinet products may enable Remote Code Execution (RCE), elevation of privilege, bypass of security controls, sensitive-information disclosure, and DoS; affecting numerous versions across network operating systems, security gateways, management platforms, wireless, and cloud services, the issues stem from memory-corruption bugs, command injection, and improper access control, with administrators advised to apply Fortinet’s security updates without delay.

4.4.  CERT-In warns of XSS in Zimbra Collaboration Suite

CERT-In issued Vulnerability Note CIVN-2025-0242 on a High-severity cross-site scripting (XSS) flaw in Zimbra Collaboration Suite (ZCS) where insufficient sanitisation of iCalendar (ICS) content lets malicious JavaScript run in a user’s session, risking account takeover and data exfiltration; affected builds include Kepler before 9.0.0 P44 and Daffodil before 10.0.13 and 10.1.5, the issue is tracked as CVE-2025-27915 and is being exploited in the wild, and administrators should apply the vendor’s security fixes without delay.

4.5. CERT-In warns of High-severity ChromeOS/ChromeOS Flex flaws

CERT-In issued Vulnerability Note CIVN-2025-0272 warning that Google ChromeOS versions prior to 16404.45.0 (browser 141.0.7390.115) contain multiple bugs—heap buffer overflows in Video, WebGPU and Sync; side-channel information leakage in Tab and Storage; use-after-free in V8 and Storage; off-by-one in V8; and improper Media implementation—allowing remote code execution (RCE), bypass of security restrictions, DoS and sensitive-data disclosure, and advised users and administrators of ChromeOS and ChromeOS Flex to apply the vendor’s stable-channel update without delay.

4.6. CERT-In warns of High-severity Mozilla product vulnerabilities

CERT-In issued Vulnerability Note CIVN-2025-0273 on multiple flaws in Mozilla Firefox prior to 144, Firefox Extended Support Release (ESR) prior to 115.29 and 140.4, and Mozilla Thunderbird prior to 140.4 and 144 that could enable arbitrary code execution, elevation of privilege, information disclosure, DoS and spoofing; weaknesses include use-after-free in MediaTrack-GraphImpl: GetInstance(), memory corruption, out-of-bounds reads and writes, cross-process information leakage via malicious Inter-Process Communication (IPC) messages and WebGL textures, object tag attribute misuse overriding content-type behaviour, Android address-bar spoofing and external-app launches, with users advised to apply Mozilla’s latest security updates immediately.

4.7. CERT-In warns of High-severity Microsoft product vulnerabilities

CERT-In issued Advisory CIAD-2025-0037 rating “High” for multiple flaws across Microsoft Windows, Microsoft Office, Microsoft SQL Server, Azure, Developer Tools, Server Software, System Center, Apps and Open Source Software that could enable elevation of privilege, bypass of security restrictions, remote code execution (RCE), spoofing, information disclosure, DoS and tampering; CERT-In notes exploitation in the wild of 3 (three) Common Vulnerabilities and Exposures (CVE) identifiers—CVE-2025-24990, CVE-2025-47827 and CVE-2025-59230 and advises urgent application of Microsoft’s October 2025 security updates.

Disclaimer

The note is prepared for knowledge dissemination and does not constitute legal, financial or commercial advice. AK & Partners or its associates are not responsible for any action taken based on its contents.

For further queries or details, you may contact:

Mr Anuroop Omkar

Founding Partner, AK & Partners

info@akandpartners.in