We are delighted to share this week's AKP Corporate & Compliance Weekly Digest. Please feel free to write to us with your feedback at info@akandpartners.in.
1. Labour Law
1.1. EPFO simplifies the Aadhaar seeding and correction process for UAN holders
The Employees' Provident Fund Organisation ("EPFO") has issued revised guidelines to facilitate and simplify the seeding and correction of Aadhaar details linked with the Universal Account Number ("UAN"). Members whose Aadhaar matches with UAN records can have their employers seed Aadhaar directly without EPFO's approval. For mismatches or corrections, employers can now use the online Joint Declaration ("JD") functionality to submit requests for rectification, which require approval from the Assistant Provident Fund Commissioner (APFC) after due verification. Members without accessible employers or closed establishments may submit physical JD forms attested by authorised officials.
1.2. The Ministry of Labour and Employment has issued the Private Placement Agency (Regulation) Bill, 2025, for public consultation
The Directorate General of Employment (DGE), Ministry of Labour and Employment, has released the draft "The Private Placement Agency (Regulation) Bill, 2025" for public consultation. This bill aims to regulate private placement agencies operating in India and abroad, promoting transparency and accountability in recruitment practices. Stakeholders and the general public are invited to review the draft and submit their feedback, comments, or suggestions via email to ddg-dget@nic.in by September 12, 2025.
1.3. Delhi Government amends Shops and Establishments Act to empower employment of women with strict safeguards
The Government of Delhi has amended Schedule I of the Delhi Shops and Establishments Act, 1954, to broadly permit, subject to strict conditions employment of women in all establishments (except liquor shops) and various operational exemptions for all shops and commercial establishments. Conditions include limits on daily and weekly working hours, mandatory overtime pay, safe shift patterns, employee safety and transport for late shifts, installation and preservation of CCTV footage, provision of legal employment benefits, electronic wage payment, provision of required amenities, and compliance with all applicable notifications from other authorities. Employers of women must also constitute an Internal Complaints Committee under the Sexual Harassment of Women at Workplace (Prevention, Prohibition, and Redressal) Act, 2013, and obtain consent before assigning night shifts.
1.4. Himachal Pradesh allows night shift work for women in shops and commercial establishments
The Himachal Pradesh Labour, Employment & Overseas Placement Department issued a notification superseding the earlier one dated July 05, 2025, and bringing it into effect immediately. The notification permits women workers to be employed in night shifts between 7 PM and 7 AM in all shops and commercial establishments. It allows women to work over 8 hours a day but within 48 (forty-eight) hours a week, while ensuring they receive maternity benefits under the Maternity Benefit Act, 1961. Compliance with the Sexual Harassment of Women at Workplace Act, 2013, is compulsory, and employers must file quarterly electronic returns on women engaged in night shifts. This relaxation has been made under Section 27 of the Himachal Pradesh Shops & Commercial Establishments Act, 1969, to ensure gender equality at workplaces while balancing safety and welfare provisions.
1.5. Extension of public utility service status for the transport industry under the Industrial Disputes Act, 1947
The Ministry of Labour and Employment has extended the status of services engaged in the industry of Transport (other than railways) for carriage of passengers or goods by land or water covered under item 1 of the First Schedule to the Industrial Disputes Act, 1947, to be a 'public utility service' for further six months from August 16, 2025. This extension follows a previous notification and continues to ensure these vital services are covered for industrial dispute management, including specific provisions on strikes and lockouts, in the public interest.
2. Stamp Duty
2.1. Punjab cabinet approves amendment to the Punjab Cooperative Societies Act, 1961
The Punjab Cabinet approved an amendment to the Punjab Cooperative Societies Act, 1961 and the withdrawal of stamp duty and registration fee exemptions for certain classes of cooperative societies. With this amendment, residents who buy apartments/flats from original allottees or subsequent buyers will now have to pay stamp duty while getting their property registered with the revenue department of the government from now on. Therefore, an amendment to Section 37 of the law has been made by adding clauses 2 and 3, which stipulate that the state government may, through a notification in the official gazette, direct that exemption under sub-section (1), or any part thereof, shall not apply to certain classes of cooperative societies or specified categories of instruments.
3. Stock Exchange
3.1. SEBI amends Foreign Portfolio Investors regulations to exempt government securities-only investors from certain provisions
On August 11, 2025, the Securities and Exchange Board of India ("SEBI") issued the Securities and Exchange Board of India (Foreign Portfolio Investors) (Amendment) Regulations, 2025, which will come into force 180 (one hundred eighty) days from the date of publication in the Official Gazette. The amendment introduces specific exemptions for foreign portfolio investors ("FPIs") who invest solely in Government Securities. Key changes insert provisos in Regulations 4 and 22 of the 2019 Foreign Portfolio Investors regulations to exempt such FPIs from certain standard requirements and provisions that apply to other types of FPI investments, subject to conditions specified by SEBI from time to time.
3.2.CDSL issues a communique on the ease of doing business policy for joint annual inspection by MIIs
Central Depository Services (India) Limited ("CDSL") issued a communiqué dated August 12, 2025, advising its depository participants ("DPs") to refer to the SEBI circular dated August 7, 2025. The communiqué highlights SEBI's new policy on the ease of doing business through joint annual inspections by Market Infrastructure Institutions ("MIIs"), an information-sharing mechanism among MIIs, and the designation of a Lead MII for enforcement actions. CDSL urges DPs to take note of these changes, which aim to streamline inspections, reduce operational disruptions, and improve regulatory oversight.
3.3. NSDL has issued a circular on amendments to bye-laws and business rules on restricted transferability and freeze/unfreeze of unlisted securities
National Securities Depositories Limited ("NSDL") has issued a circular dated August 11, 2025, announcing amendments to its bye-laws and business rules regarding "Restricted Transferability" and the "Freeze and/or Unfreeze" of unlisted securities for private limited companies. These amendments allow issuers to formally request NSDL to impose or remove transfer restrictions, such as on pledges, margin pledges, hypothecation, or encumbrances on their unlisted securities. Additionally, issuers may request freezing or unfreezing of their unlisted securities to comply with statutory obligations. NSDL will verify requests and grant approvals accordingly. Issuers are responsible and liable for any third-party consequences arising from these actions and must indemnify NSDL. Participants are required to comply with these updated procedures.
3.4. CDSL mandates capturing 'Date of Receipt' for off-market delivery instructions
CDSL by communique no. DP2025-543 has announced that, effectively from September 27, 2025, all DPs must mandatorily record the 'Date of Receipt' for off-market Delivery Instruction Slips (DIS) received from clients. This move, aligned with CDSL bye-laws, requires DPs to enter this date while executing both intra-depository (CDSL to CDSL) and inter-depository (CDSL to NSDL) off-market instructions. If a delay of more than 2 (two) days occurs between receipt and setup, the DP must provide a valid reason for the delay.
3.5. CDSL issues a communique on online training on compliance and regulatory requirements
CDSL has announced by communique no. DP2025-540, an online training programme for DPs and their officials focusing on compliance and regulatory requirements. The session will cover recent mandates such as online submission of net worth certificates and audited financial statements, Know Your Customer ("KYC") validation confirmations via the audit web app, Prevention of Money Laundering Act (PMLA) requirement, various statutory submissions, timely investor grievance redressal, additional alerts and related penalties, and DP surveillance obligations. All DPs, including branch offices, are advised to register relevant officials, compliance officers, principal officers, IT/InfoSec teams, and auditors.
3.6. BSE strengthens framework for migration of SME companies to the mainboard and direct listing from other exchanges
The Bombay Stock Exchange ("BSE") has tightened and enhanced its eligibility norms for Small and Medium Enterprises ("SME") companies seeking to migrate to the Mainboard and for companies listed on other recognised stock exchanges aiming for direct listing on BSE. Key changes include raising the operating profitability requirement to INR 15 Crore (Indian Rupees Fifteen Crore only) for the last 3 (three) financial years with a minimum of INR 10 Crore (Indian Rupees Ten Crore only) in each year, up from the previous condition of just positive operating profit in 2 (two) out of 3 (three) years. The minimum number of public shareholders has also been increased from 250 (two hundred fifty) to 1,000 (one thousand). Additionally, new market liquidity criteria mandate that the company's shares must have traded at least 5 per cent (five per cent) of the weighted average number of shares listed during the past 6 (six) months and on at least 80 per cent of the trading days in that period.
3.7. BSE issues guidelines in pursuance of the amendment to SEBI KYC (Know Your Client) Registration Agency (KRA) Regulations, 2011
BSE issued a notice on August 12, 2025, providing its members with updated guidelines related to the amendments in SEBI KYC Registration Agency Regulations, 2011. The notice outlines compliance procedures for handling investor demise, requiring trading members to block and close accounts linked to PANs reported as deceased by KRAs. It further states that clients whose KYC is "On Hold" or unvalidated for any reason, based on submissions between July 01 and July 31, 2025, will be barred from trading and settling open positions from August 25, 2025, until validation requirements are met. Non-compliant PANs will be flagged as Not Permitted to Trade from August 23, 2025, and trading access will be restored promptly upon compliance. The notice directs members to relevant files for client lists and offers contact details for further clarification.
3.8. BSE releases notification of Proliferation Financing, Terror Financing, and Money Laundering risks to private sector entities
BSE has notified its members, following SEBI's instructions, about the release of the Financial Action Task Force (FATF) report "Complex Proliferation Financing and Sanctions Evasion Schemes" (CPFSES), dated June 20, 2025. The notice emphasises the importance of considering the Democratic People's Republic of Korea (DPRK) and Pakistan as high-risk jurisdictions for proliferation financing threats relevant to India. Intermediaries are instructed to update their institutional risk assessments and compliance frameworks in line with Rule 9(13) of the Prevention of Money Laundering Rules, incorporating the new guidance into their internal risk policies.
4. Tax
4.1. CBDT notifies Income-tax (Twenty-First Amendment) Rules, 2025
The Central Board of Direct Taxes (CBDT) has notified the Income-tax (Twenty-First Amendment) Rules, 2025, effective from September 01, 2025. The amendment revises Form No. 07 in the Income-tax Rules, 1962, allowing for demand notices to reference either an "assessment year" or a "block period," as applicable, rather than only the assessment year. This change streamlines compliance and ensures demand notices are properly aligned for both regular and block assessment cases.
4.2. Lok Sabha passes the Income Tax Bill, 2025
The Income-Tax Bill, 2025, passed by the Indian Parliament in August 2025, replaces the 6 (six) decade old Income Tax Act, 1961. The new Bill reduces the number of sections from 819 (eight hundred nineteen) to 536 (five hundred thirty-six), streamlines tax administration, and retains existing tax rates and regimes while clarifying provisions and removing redundancies. It introduces a new, straightforward tax regime with updated slabs, enhances faceless assessments, simplifies return filing, especially for salaried individuals and small businesses, and consolidates Tax Deducted at Source (TDS)/Tax Collected at Source (TCS) provisions. The Bill also improves loss set-off rules for LLPs and retains the alternate minimum tax with clearer rules.
5. Information Technology
5.1. CERT-In issues advisory on multiple vulnerabilities in SAP Products
CERT-In has issued a high-severity advisory (CIAD-2025-0027) addressing multiple critical vulnerabilities across various SAP products, including SAP S/4HANA, SAP NetWeaver, SAP Business One, and SAP Fiori. These vulnerabilities arise from flaws such as code injection, cross-site scripting (XSS), broken authorisation, information disclosure, and improper security checks. Exploiting these weaknesses could result in unauthorised data access, privilege escalation, manipulation of user sessions, service disruptions, and potential system compromise. CERT-In strongly advises SAP system administrators and security teams to urgently apply the vendor-recommended patches available through SAP's official support portal to mitigate risks of data theft, service outages, and security breaches.
5.2. CERT-In issues vulnerability note on multiple vulnerabilities in GitLab Products
CERT-In has issued a high-severity vulnerability note (CIVN-2025-0178) for multiple vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE) versions before 18.2.2, 18.1.4, and 18.0.6. These vulnerabilities stem from insufficient input sanitisation, incorrect privilege assignments, and improper authorisation checks in various UI components and backend features. Exploitation could allow attackers to perform account takeovers, launch stored cross-site scripting attacks, escalate privileges, access sensitive information, bypass security restrictions, or cause Denial of Service ("DoS"). CERT-In strongly urges all GitLab users and administrators to promptly update to the latest patched versions to mitigate risks of data breaches, service disruption, and system compromise.
5.3. CERT-In issues vulnerability note for denial-of-service vulnerability in Apache Tomcat
CERT-In has released a critical vulnerability note (CIVN-2025-0177) regarding a vulnerability in Apache Tomcat affecting versions 9.0.0.M1 through 9.0.107, 10.1.0-M1 through 10.1.43, and 11.0.0-M1 through 11.0.9. The flaw, termed the "MadeYouReset" attack, exists in Tomcat's HTTP/2 implementation and is caused by improper handling of malformed client requests, which can repeatedly trigger server-side stream resets without updating abuse counters. An attacker could exploit this to exhaust server resources, resulting in DoS. All system administrators and users are strongly advised to upgrade to the latest Apache Tomcat versions to safeguard against service disruption and resource exhaustion.
5.4. CERT-In issues vulnerability note for a remote code execution vulnerability in Fortinet FortiSIEM
CERT-In has issued a high-severity vulnerability note (CIVN-2025-0176) warning of a remote code execution vulnerability in multiple versions of Fortinet FortiSIEM. The flaw stems from improper neutralisation of special elements in OS commands (command injection), allowing unauthenticated remote attackers to exploit the system by sending specially crafted CLI requests. Successful exploitation could grant attackers system-level privileges, enabling remote code execution, privilege escalation, and persistent compromise of the affected system. All users and organisations are strongly advised to urgently apply security updates released by Fortinet to mitigate risks of unauthorised access and system compromise.
5.5. CERT-In issues vulnerability note for multiple vulnerabilities in Intel Products
CERT-In has released a high-severity vulnerability note (CIVN-2025-0175) warning of multiple security flaws affecting a wide range of Intel processors and chipsets, including the 6th through 13th generation Intel Core, Xeon, Pentium, Celeron, and Atom processors, as well as various Wi-Fi, Edge, and server components. The vulnerabilities arise from issues such as improper input validation, insufficient access controls, memory overflows, race conditions, and timing discrepancies in firmware, drivers, and software. Successful exploitation could allow an attacker to escalate privileges, leak sensitive data, or cause denial of service, with attack vectors varying by vulnerability. CERT-In strongly urges all users and organisations to promptly apply the latest Intel security updates and advisories to mitigate these risks and prevent unauthorised access or system instability.
5.6. CERT-In issues vulnerability note for multiple vulnerabilities in Google Chrome for desktop
CERT-In has released a high-severity vulnerability note (CIVN-2025-0174) regarding multiple critical security vulnerabilities in Google Chrome for Desktop, affecting versions before 139.0.7258.127/.128 on Windows and macOS, and before 139.0.7258.127 on Linux. The vulnerabilities include heap buffer overflow, race conditions, out-of-bounds writes, file picker flaws, and use-after-free errors that could allow remote attackers to execute arbitrary code, steal sensitive data, or cause DoS by tricking users into visiting crafted web pages. Users and organisations are urged to promptly update to the latest Chrome versions as per the vendor's guidance to mitigate these risks and protect against potential exploitation.
5.7. CERT-In issues vulnerability note for multiple vulnerabilities in Adobe Products
CERT-In has issued a high-severity vulnerability note (CIVN-2025-0173) regarding multiple vulnerabilities across various Adobe products, including Adobe Commerce, Adobe Substance 3D suite, Adobe Animate, Illustrator, Photoshop, InDesign, InCopy, FrameMaker, and Dimension. These vulnerabilities stem from memory corruption, incorrect authorisation, and other security flaws, potentially allowing attackers to bypass restrictions, execute arbitrary code, gain elevated privileges, access sensitive information, or cause DoS. The flaws put systems at high risk of data theft, remote code execution, and instability. CERT-In strongly advises all users and administrators to apply the security updates released by Adobe as detailed in the official Adobe Security Bulletins to mitigate exploitation risks and protect their environments.
5.8. CERT-In issues vulnerability note for multiple vulnerabilities in the ZKTeco WL20 biometric attendance system
CERT-In has issued a high-severity vulnerability note (CIVN-2025-0172) regarding multiple vulnerabilities in the ZKTeco WL20 Biometric Attendance System (version ZLM31-FXO1-3.1.8 and earlier) that could allow attackers to gain unauthorised access to sensitive information and the associated MQTT broker. CERT-In strongly recommends upgrading the firmware to version ZLM31-FXO1-4.0.3 for CVE-2025-54464 and CVE-2025-54465 and applying vendor-provided mitigations or discontinuing use if unavailable for CVE-2025-55279 and CVE-2025-55280, along with implementing physical security controls to prevent unauthorised device access.
5.9. CERT-In issues vulnerability note for path traversal vulnerability in WinRAR
CERT-In has issued a high-severity vulnerability note (CIVN-2025-0171) regarding a path traversal vulnerability in WinRAR for Windows (versions up to and including 7.12), as well as Windows versions of RAR, UnRAR, portable UnRAR source code, and UnRAR.dll. The flaw arises from insecure handling of directories and Alternate Data Streams (ADS) in specially crafted RAR archives, allowing an attacker to perform directory traversal and place hidden executable or shortcut files in Windows Startup folders. CERT-In strongly recommends all users and organisations to immediately update to WinRAR version 7.13 or later through manual installation, as automatic updates are not supported, to mitigate the risk of exploitation and system compromise.
5.10. CERT-In issues vulnerability note for multiple vulnerabilities in Drupal Modules
CERT-In has issued a high-severity vulnerability note (CIVN-2025-0170) regarding multiple vulnerabilities in Drupal modules, specifically affecting Drupal Config Pages versions before 2.18.0 and Drupal Google Tag Manager (GTM) versions before 1.10.0. Successful exploitation may lead to unauthorised access, data theft, and full system compromise. CERT-In strongly recommends all individuals and organisations using the affected Drupal modules to immediately update to Config Pages version 2.18 and GTM version 1.10, as provided by the Drupal vendor, to mitigate the risk of exploitation and prevent security breaches.
5.11. CERT-In issues vulnerability note for cross-site scripting vulnerability in the COOKJIES consent management module of Drupal
CERT-In has issued a critical security vulnerability note (CIVN-2025-0169) addressing an XSS vulnerability affecting the COOKIES Consent Management module of Drupal versions before 1.2.16. The flaw is attributed to insufficient validation during the conversion of "data-src" attributes to "src" attributes within the module, allowing attackers to inject and execute malicious scripts through manipulated HTML elements. Exploitation of this vulnerability may result in data breaches, arbitrary script execution, malicious redirects, or website defacement. Website administrators and developers using the affected module are at high risk of system compromise. CERT-In strongly recommends that all organisations and users to immediately upgrade the COOKIES Consent Management module to version 1.2.16 or later, as provided by the Drupal vendor, to mitigate the risk of exploitation and prevent XSS attacks.
5.12. CERT-In issues vulnerability note for privilege escalation vulnerability in Microsoft Exchange Server Hybrid Deployment
CERT-In has issued a vulnerability note regarding a high-severity elevation of privilege vulnerability (CVE-2025-53786) affecting Microsoft Exchange Server 2016 and 2019 (various cumulative updates, Subscription Edition RTM) when configured as a hybrid deployment. The flaw is due to improper authentication, enabling remote attackers to send specially crafted requests and gain elevated privileges on the target system. Successful exploitation may allow unauthorised access to sensitive resources and complete system compromise. CERT-In strongly urges all organisations running affected Exchange deployments to immediately apply the relevant security updates and patches recommended by Microsoft to mitigate this risk and protect their infrastructure.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
