Corporate & Compliance Digest March 23, 2026

We are delighted to share this week's AKP Corporate & Compliance Weekly Digest. Please feel free to write to us with your feedback at info@akandpartners.in.

1.               Labour Law

1.1.      EPFO Simplifies Overseas PF Payments for International Workers from SSA Countries

The Employees’ Provident Fund Organisation (“EPFO”) has issued a circular dated 18 March 2026, introducing a revised framework for facilitating payment of provident fund accumulations to overseas bank accounts of International Workers and their beneficiaries belonging to countries with which India has entered into Social Security Agreements (“SSAs”). The circular seeks to streamline the existing procedure and address practical challenges faced by stakeholders. The revised framework provides that the facility of overseas remittance is restricted to SSA countries and allows International Workers to receive payments in India, their home country, or a third country, in accordance with the relevant SSA. It simplifies verification of foreign bank accounts through employer or competent authority attestation and centralises tax compliance by designating EPFO as the remitter responsible for filing Forms 15CA and 15CB through Regional Office, Delhi (North). The circular further prescribes a structured process for claim settlement, documentation, and reconciliation across regional offices, with strengthened accountability mechanisms.

1.2.           EPFO Clarifies PAN Linking Process and Introduces Manual Verification Facility

EPFO has issued a circular dated March 16, 2026, clarifying the process for linking Permanent Account Number (“PAN”) with establishment profiles on the EPFO Unified Portal and introducing a manual verification facility for cases involving minor mismatches between EPFO records and the PAN database. The circular provides that PAN linking will continue through API-based validation with the Income Tax database, with specific clarifications for proprietorships, branches, and establishments run by societies or trusts. It further introduces a functionality enabling field offices to manually approve PAN linkage in cases of minor discrepancies, subject to due verification and recording of reasons, thereby simplifying the process while ensuring compliance.

1.3.           EPFO Issues Directions for Timely Conclusion of Assessment Proceedings in IBC Cases

EPFO has issued a circular dated March 17, 2026, laying down directions for the timely conclusion of proceedings relating to assessment or levy of provident dues in cases under the Insolvency and Bankruptcy Code, 2016 (“IBC”). The circular seeks to address delays and inconsistencies in assessment practices impacting claim filings before Resolution Professionals and Liquidators. The circular highlights that delays in filing Employees’ Provident Fund claims and improper or inflated assessments often lead to rejection of claims and prolonged litigation. It mandates a more evidence-based assessment approach with proper identification of beneficiaries and directs that all proceedings in IBC cases be conducted on a priority, time-bound basis. The framework further assigns responsibility to designated assessing officers, requires transfer and tracking of cases within strict timelines, and introduces enhanced supervisory review mechanisms to ensure accuracy, uniformity, and timely recovery of dues.

1.4.           Government Issues Additional FAQs Clarifying Key Aspects of Labour Codes

The Ministry of Labour and Employment has released additional FAQs dated March 16, 2026, providing clarifications on various provisions under the Labour Codes, including the Code on Wages, 2019, Code on Social Security, 2020, Industrial Relations Code, 2020, and the Occupational Safety, Health and Working Conditions Code, 2020. The FAQs aim to address interpretational issues and facilitate smoother implementation of the Codes. The clarifications cover key aspects such as inclusion and exclusion of components in the definition of “wages”, applicability of overtime and gratuity provisions, treatment of fixed-term employees, employee state insurance coverage, and leave entitlements. The FAQs also address practical issues including PAN-based compliance, distinction between wages and minimum wages, and applicability of benefits across categories of employees. The guidance seeks to provide greater clarity to employers and employees while ensuring uniform understanding and application of the Labour Codes.

1.5.           ESIC Revises SOP for Creation of Name-Based Official Email IDs

Employee State Insurance Corporation (“ESIC”) has issued a circular dated 19 March 2026, revising the Standard Operating Procedure (“SOP”) for creation of name-based official email IDs through the eForms platform, in partial modification of its earlier SOP dated January 5, 2026. The revision aims to streamline the process for creation and activation of official email accounts for ESIC personnel. The updated SOP lays down a structured, multi-level workflow involving user registration and request submission through eForms, followed by approvals from the Reporting Officer, ESIC head quarter (DA Admin), and NIC authorities, culminating in creation of the official email ID. It also addresses scenarios involving new employees and users facing access issues due to system migration, while standardising naming conventions and approval protocols to ensure consistency, traceability, and administrative control over official communications.

2.               Securities Market

2.1.           NSE issues operational guidelines and Standard Operating Procedure on Closing Auction Session in the equity cash segment

National Stock Exchange of India Limited (“NSE”) has issued operational guidelines and Standard Operating Procedure for implementation of the Closing Auction Session in the equity cash segment, pursuant to the SEBI circular dated 16 January 2026 and earlier exchange communication. In a phased roll‑out, the closing price for stocks with derivative contracts will be discovered through CAS with a ±3 per cent (three per cent) price band around a reference price derived from volume weighted average price between 3:00 p.m. and 3:15 p.m., aligned bands for stock futures during 3:15 p.m. to 3:40 p.m., specified treatment where there are no trades, and a restricted order book that allows only full‑quantity limit and market orders (including algo market orders in CAS), while maintaining the existing framework for options price bands and limit price protection ranges.

2.3.    NSDL issues policy amendment on fee for conversion, reconversion and redemption of mutual fund units and other instruments

National Securities Depository Limited (“NSDL”) has amended Rule 21.2.5 of its Business Rules governing fees for conversion, reconversion and redemption of mutual fund units, with effect from 1 May 2026. While conversion of units represented by statement of account into dematerialised form continues to attract no depository fee, NSDL has clarified a standardised fee grid under which participants are charged INR 10 (Indian Rupees Ten only) per instruction for reconversion of mutual fund and specified investment fund (“SIF”) units into statement of account and INR 4.50 (Indian Rupees Four and Fifty Paisa) per instruction for redemption of real estate investment trusts (“REITs”), infrastructure investment trusts (“InvITs”), alternative investment funds (“AIFs”) and exchange traded funds (“ETFs”) through participants, with no depository fee for redemption of mutual fund and SIF units.

2.4.    NSDL issues amendment and tightens framework for client mandate revocation and electronic access disablement

NSDL has amended Annexure O, Clause B(o) of its Business Rules, splitting the existing provision into two distinct clauses – Clause B(o) and Clause B(p) – to remove ambiguity around revocation of mandates and disabling client access to electronic mandate facilities. Clause B(o) now simply requires that trading members enable clients to revoke or cancel mandates, while new Clause B(p) obligates participants and trading members to use best efforts to promptly disable the client’s electronic access within one working day of receiving such intimation, and clarifies that they will not be liable for losses arising from instructions received and executed prior to such disablement.

3.               Information Technology

3.1.           CERT-In Flags Critical Vulnerabilities in Zoom Products

The Indian Computer Emergency Response Team (“CERT-In”) has issued Vulnerability Note CIVN-2026-0139 dated 16 March 2026, highlighting multiple critical vulnerabilities affecting various Zoom products. The advisory categorises the severity as “Critical” and urges immediate action by users and organisations. The vulnerabilities impact multiple versions of Zoom applications, including Zoom Workplace for Windows, Zoom Rooms, VDI clients, and Meeting SDKs. According to the advisory, these vulnerabilities arise due to issues such as improper privilege management, inadequate input validation, and insufficient version checks. Exploitation of these flaws could allow attackers to gain elevated privileges, access sensitive information, and compromise system integrity, potentially leading to service disruption. CERT-In has recommended that users and organisations apply the latest security updates issued by Zoom to mitigate the risks and prevent potential exploitation.

3.2.           CERT-In Flags Critical Vulnerabilities in Drupal Plugins

CERT-In has issued Vulnerability Note CIVN-2026-0140 dated 16 March 2026, highlighting multiple critical vulnerabilities affecting Drupal core and associated plugins. The advisory categorises the severity as “Critical” and calls for immediate remediation. The vulnerabilities impact certain versions of Drupal core and arise due to improper access control and inadequate sanitisation of untrusted inputs, including HTML and Markdown content. Exploitation of these vulnerabilities could allow remote attackers to bypass access controls and gain unauthorized access to sensitive information, potentially compromising system integrity. CERT-In has advised organisations and users to apply the latest security updates and patches released by Drupal to mitigate the identified risks and prevent potential exploitation.

3.3.           CERT-In Flags High Severity Vulnerabilities in Google Chrome for Desktop

CERT-In has issued Vulnerability Note CIVN-2026-0141 dated 16 March 2026, highlighting multiple vulnerabilities in Google Chrome for Desktop, categorised with a “High” severity rating. The advisory calls for immediate attention from users and organisations. The vulnerabilities affect Google Chrome versions prior to 146.0.7680.80 across Windows, macOS, and Linux systems. These issues arise due to flaws such as out-of-bounds write vulnerabilities and improper implementation within browser components, which could be exploited by remote attackers through specially crafted web pages. Successful exploitation may allow attackers to execute arbitrary code, gain unauthorized access, and compromise system integrity. CERT-In has further noted that certain vulnerabilities are actively being exploited in the wild, significantly increasing the risk of compromise. Users and organisations are therefore strongly advised to apply the latest Chrome security updates and patches immediately to mitigate potential threats.

3.4.           CERT-In Flags Critical RADIUS Vulnerability in Hitachi Energy XMC20 Products

CERT-In has issued Vulnerability Note CIVN-2026-0142 dated 17 March 2026, identifying a critical vulnerability in Hitachi Energy XMC20 industrial network products. The advisory classifies the severity as “Critical”. The vulnerability affects XMC20 versions including R18 and earlier, arising from improper validation of message integrity in the RADIUS protocol. Exploitation of this flaw could allow an unauthenticated attacker to forge authentication responses, leading to unauthorized access, data disclosure, alteration, and potential service disruption. CERT-In has advised affected organisations to implement vendor-recommended mitigations and apply necessary updates to address the vulnerability and safeguard system integrity.

3.5.   CERT-In Flags High Severity Vulnerabilities in Schneider Electric EBO Workstation/WebStation

CERT-In has issued Vulnerability Note CIVN-2026-0143 dated 17 March 2026, identifying multiple vulnerabilities in Schneider Electric’s EcoStruxure Building Operation (EBO) Workstation and WebStation, classified with a “High” severity rating. The vulnerabilities, including XML External Entity (XXE) injection and code execution flaws, arise due to improper input validation and inadequate access controls. Exploitation could allow attackers to gain unauthorized access, execute malicious code, access sensitive data, or disrupt services. CERT-In has advised organisations to apply vendor-recommended updates and mitigations, including upgrading affected versions, to address these vulnerabilities and reduce the risk of compromise.

3.6.         CERT-In Flags Medium Severity Information Disclosure Vulnerability in Wing FTP Server

CERT-In has issued Vulnerability Note CIVN-2026-0144 dated 18 March 2026, identifying an information disclosure vulnerability in Wing FTP Server, classified with a “Medium” severity rating. The vulnerability affects Wing FTP Server versions prior to 7.4.4 and arises due to improper validation of session cookies. Exploitation of this flaw could allow an authenticated attacker to access sensitive information, including disclosure of the local server path, potentially exposing internal system details. CERT-In has advised users and organisations to apply the latest security updates provided by the vendor to mitigate the risk and prevent potential exploitation.

3.7.      CERT-In Flags High Severity Information Disclosure Vulnerability in Microsoft M365 Copilot

CERT-In has issued Vulnerability Note CIVN-2026-0146 dated 18 March 2026, identifying an information disclosure vulnerability in Microsoft M365 Copilot, categorised with a “High” severity rating. The vulnerability affects multiple Microsoft 365 applications integrated with Copilot, including Word, Excel, Teams, Outlook, and others. It arises due to AI prompt injection, which could be exploited by embedding malicious instructions within user-controlled content such as emails or documents. Successful exploitation may allow attackers to access sensitive information and perform limited data manipulation. CERT-In has advised users and organisations to apply vendor-recommended updates and security measures to mitigate the risk and prevent potential exploitation.

3.8.        CERT-In Flags High Severity Remote Code Execution Vulnerabilities in Windows RRAS

CERT-In has issued Vulnerability Note CIVN-2026-0147 dated 19 March 2026, identifying multiple vulnerabilities in Microsoft Windows Routing and Remote Access Service (RRAS), classified with a “High” severity rating. The vulnerabilities affect RRAS versions prior to specified OS builds and arise due to improper handling of memory conditions, including issues such as integer overflow. Exploitation of these flaws could allow attackers to execute arbitrary code, gain unauthorized access, and compromise affected systems, particularly by inducing connections to malicious remote servers. CERT-In has advised users and organisations to apply the latest security updates released by Microsoft to mitigate the risk and prevent potential exploitation.

3.9.           CERT-In Flags High Severity Vulnerabilities in GitLab Products

The Indian Computer Emergency Response Team (“CERT-In”) has issued Vulnerability Note CIVN-2026-0148 dated 19 March 2026, identifying multiple vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE), categorised with a “High” severity rating. The vulnerabilities affect GitLab versions prior to 18.9.2, 18.8.6, and 18.7.6, and arise due to issues such as improper input validation, inadequate access controls, and insufficient sanitisation of user inputs. Exploitation of these flaws could allow remote attackers to trigger cross-site scripting (XSS), disclose sensitive information, bypass security restrictions, and cause denial of service (DoS). CERT-In has advised organisations and users to apply the latest security patches released by GitLab to mitigate the risks and prevent potential exploitation.

3.10.        CERT-In Flags High Severity Security Bypass Vulnerability in Apple Products

CERT-In has issued Vulnerability Note CIVN-2026-0149 dated 19 March 2026, identifying a security bypass vulnerability in Apple products, categorised with a “High” severity rating. The vulnerability affects certain versions of iOS, iPadOS, and macOS, and arises due to improper validation within the WebKit component. Exploitation of this flaw could allow attackers to bypass the Same Origin Policy, leading to unauthorised cross-origin access and potential exposure of sensitive data. CERT-In has advised users and organisations to apply the latest security updates released by Apple to mitigate the risk and prevent potential exploitation.

3.11.        CERT-In Flags Critical Vulnerabilities in Apple iOS and iPadOS

The Indian Computer Emergency Response Team (“CERT-In”) has issued Vulnerability Note CIVN-2026-0150 dated 19 March 2026, identifying multiple vulnerabilities in Apple iOS and iPadOS, categorised with a “Critical” severity rating. The vulnerabilities affect multiple Apple platforms and versions, including iOS, iPadOS, macOS, and Safari components. These issues arise due to flaws such as use-after-free vulnerabilities in the kernel and type confusion in WebKit, which could be exploited through specially crafted web content. Successful exploitation may allow attackers to execute arbitrary code, cause memory corruption, gain unauthorised access, and potentially manipulate sensitive data or disrupt services. CERT-In has advised users and organisations to apply the latest security updates released by Apple to mitigate the risks and prevent potential exploitation.

3.12.        CERT-In Flags Critical Remote Code Execution Vulnerability in telnetd

CERT-In has issued Vulnerability Note CIVN-2026-0151 dated 19 March 2026, identifying a critical remote code execution vulnerability in GNU InetUtils telnet daemon (telnetd), categorised with a “Critical” severity rating. The vulnerability affects telnetd versions up to 2.7 and arises due to improper handling of protocol option negotiation. Exploitation of this flaw could allow an unauthenticated attacker to execute arbitrary code with root privileges, potentially leading to full system compromise. CERT-In has advised administrators and users to apply appropriate updates and security measures to mitigate the risk and prevent potential exploitation.

3.13.        CERT-In Flags High Severity SQL Injection Vulnerability in Ally WordPress Plugin

CERT-In has issued Vulnerability Note CIVN-2026-0152 dated 19 March 2026, identifying a SQL injection vulnerability in the Ally WordPress plugin, categorised with a “High” severity rating. The vulnerability affects Ally – Web Accessibility & Usability plugin version 4.0.3 and arises due to insufficient sanitisation and validation of user inputs in SQL queries. Exploitation of this flaw could allow attackers to execute arbitrary SQL commands, access or modify sensitive data, and potentially compromise affected systems. CERT-In has advised website owners and administrators to apply appropriate updates and security measures to mitigate the risk and prevent potential exploitation.

4.               Tax

4.1.           Government publishes Income Tax Rules, 2026

The Central Government has published the Income Tax Rules, 2026 on 20 March 2026, introducing a comprehensive framework to operationalise the Income Tax Act, 2025, which is set to come into force from 1 April 2026. The Rules aim to simplify the existing tax regime and enhance clarity, transparency, and compliance. The notified Rules streamline the overall structure by rationalising and consolidating provisions, forms, and procedures, reducing complexity under the earlier 1962 framework. They introduce updated reporting and disclosure requirements, revised formats for returns and certificates, and clearer rules governing allowances, perquisites, and capital gains. The framework also emphasises digitisation and standardisation of compliance processes, with enhanced disclosure norms to improve transparency and curb tax evasion.

4.2.     CBIC Notifies Customs Tariff Values under Notification No. 27/2026-Customs (N.T.)

The Central Board of Indirect Taxes and Customs (“CBIC”) has issued Notification No. 27/2026-Customs (N.T.) dated 19 March 2026, published in the Official Gazette, amending tariff values for specified goods under the Customs Act, 1962.  The notification substitutes Table 1, Table 2, and Table 3 of the principal Notification No. 36/2001-Customs (N.T.), covering tariff values for commodities such as crude and refined palm oil, palmolein, soybean oil, brass scrap, gold, silver, and areca nuts. As reflected in the tables (pages 2–5), most tariff values remain unchanged, continuing to be prescribed in US dollar terms per unit.  The notification comes into effect from 20 March 2026, forming part of the periodic revision mechanism for tariff valuation aligned with prevailing international price trends.

5.               Regulatory Enforcement / Compliance Action

Disclaimer

The note is prepared for knowledge dissemination and does not constitute legal, financial or commercial advice. AK & Partners or its associates are not responsible for any action taken based on its contents.

For further queries or details, you may contact:

Mr Anuroop Omkar

Founding Partner, AK & Partners

info@akandpartners.in