AKP Corporate & Compliance Digest November 10, 2025

We are delighted to share this week's AKP Corporate & Compliance Weekly Digest. Please feel free to write to us with your feedback at info@akandpartners.in.

1. Labour Law

1.1. ESIC orders 30-day compliance on pending CAG audit paras

Employees' State Insurance Corporation (ESIC) issued a Circular directing all accounting units to review and submit replies or compliance reports for all outstanding external-audit paras to the Comptroller and Auditor General (CAG) within 30 (thirty) days of receipt of inspection reports. The circular states that untimely or unsatisfactory replies will be viewed seriously and unresolved cases may be escalated to higher authorities and asks all units to treat the matter with utmost priority. It records approval of the competent authority and notes that a Hindi version will follow.

1.2. EPFO clarifies EDLI exemption workflow; zones to process class-based cases

Employees' Provident Fund Organisation (EPFO) issued Directions aligning examination of Employees' Deposit Linked Insurance (EDLI) exemption or extension requests: proposals covering only regular or any other class of employees are to be treated as "class of employees" cases under section 17(2B) of the Employees' Provident Funds and Miscellaneous Provisions Act, 1952, read with para 28(4) of the EDLI Scheme, 1976, and decided by Additional Central Provident Fund Commissioners (Addl. CPFCs) at the zonal level, while only whole-establishment cases under section 17(2A) go to the Central Provident Fund Commissioner (CPFC) using the prescribed Annexure-A and Annexure-B. Applications must include the group insurance policy, majority acceptance, premium receipts, a benefit comparison, and an employer declaration that all categories of employees are covered, and zones have been asked to clear the backlog and dispose pending cases by November 30, 2025, with Regional Provident Fund Commissioners (RPFCs) ensuring completeness.

2. Stamp Duty

2.1. Uttar Pradesh: Property registration services paused for server migration (announced within Nov 3–8; effective Nov 8–11, 2025)

The Stamps & Registration Department's online system is migrating from NIC MeghRaj to the National Government Cloud; registrations statewide, including Noida/Ghaziabad and Prayagraj, are temporarily unavailable during November 8 (eight) –11 (eleven).

3. Stock Exchanges

3.1. BSE opens system audit module and sets stockbroker deadlines

BSE Limited (BSE) activated its System Audit Reporting module for audits of stockbrokers and trading members for the half year ended September 30, 2025, directing members to submit the Audit Plan by November 15, 2025, the Preliminary Audit Report by November 30, 2025, and any Action Taken Report by February 28, 2026; members must file via the BSE Electronic Filing System (BEFS) while auditors log in through the Cymmetri portal, with user manuals provided as annexures.

3.2. CDSL publishes DP-wise BSDA eligibility lists and remediation steps

Central Depository Services (India) Limited ("CDSL") issued a communiqué on the Basic Services Demat Account (BSDA), informing Depository Participants ("DPs") that, using data shared with National Securities Depository Limited ("NSDL") as on October 31, 2025, it has compiled DP-wise lists of Beneficial Owners ("BOs") eligible for BSDA based on three criteria: account category (Individual, Non-Resident Individual or Foreign National), total demat holding value not exceeding INR 10,00,000 (Indian Rupees Ten Lakhs only) for debt and non-debt combined, and the first holder having only one demat account across depositories with a verified Permanent Account Number (PAN) (with a carve-out for PAN-exempt BOs). CDSL has placed a compressed file in each DP's billing folder containing separate lists for PAN-verified eligibles, PAN-exempt eligibles, currently-BSDA accounts with multiple demat accounts, and an all-accounts file showing present and computed BSDA flags; DPs may use the BO-modify upload to unmark ineligible BSDA accounts and notify clients, with support via the CDSL helpdesk.

3.3. CDSL introduces "RDG Transfer" to move G-Secs between demat and RBI Retail Direct accounts

CDSL announced a new "RDG Transfer" transaction to enable direct own-account movement of Government Securities (G-Secs) between dematerialised accounts and Reserve Bank of India (RBI) Retail Direct Gilt (RDG) accounts, and to permit own-account transfers across depositories using the "Transfer to own account" reason code, replacing the demat/remat workaround. The option appears in the BO Easiest login and in the CDSL Depository Automation System (CDAS) settlement module, with Depository Participant (DP) approval; transfer value auto-calculates from International Securities Identification Number (ISIN) face value and quantity. Requests after 4:30 PM (four thirty PM) on weekdays or after 1:00 PM (one PM) on RBI working Saturdays execute the next business day; future-dated entries are limited to the next working day; CDSL-to-RDG transfers are disallowed for accounts with more than 2 (two) holders; transactions are rejected if unpaid coupon or redemption exists; and Sovereign Gold Bond (SGB) credits are restricted to eligible demat categories. DP97 will carry the new entries, the updated Unified Data Interchange File Format (UDiFF) v2.0.0.5 is available, and the go-live is November 14, 2025, End of Day (EOD).

3.4. CDSL seeks DP confirmations on FATF October 2025 statements

CDSL directed DPs to submit, via CDSL's audit portal, a written confirmation by November 21, 2025, on actions taken pursuant to the Financial Action Task Force (FATF) public statements issued after the October 2025 Plenary, including client due diligence, alert mechanisms for flagged jurisdictions, and any other necessary measures. CDSL noted no new jurisdictions were added to "increased monitoring" and that 4 (four) jurisdictions — Burkina Faso, Mozambique, Nigeria and South Africa — were removed, while clarifying that legitimate trade and business with named jurisdictions should not be precluded.

4. Information Technology

4.1. CERT-In flags multiple high-severity flaws in Microsoft Edge Stable

Computer Emergency Response Team – India ("CERT-In") reported that Microsoft Edge Stable Channel (Chromium-based) versions prior to 141.0.3537.71 contain multiple vulnerabilities across components such as Omnibox, SplitView, Fullscreen UI, Extensions and the V8 engine, including use-after-free, out-of-bounds reads, race conditions and policy bypasses, enabling remote code execution, security bypass, spoofing or disclosure of sensitive information on targeted systems; the risk is rated High with potential for unauthorised data access or service disruption and can be triggered by persuading a user to visit a specially crafted web page.

4.2. CERT-In issues critical alert on Hunk Companion and GutenKit WordPress plugins

CERT-In warned of Critical vulnerabilities in WordPress plugins GutenKit versions 2.1.0 and prior and Hunk Companion versions 1.8.5 and prior that allow unauthenticated arbitrary code execution via improperly protected Representational State Transfer (REST) endpoints, including arbitrary file upload at /wp-json/gutenkit/v1/install-active-plugin and a missing authorisation check at /wp-json/hc/v1/themehunk-import. CERT-In reports exploitation in the wild and flags risks of unauthorised access, data manipulation and service disruption, advising users of affected plugins to update or disable them immediately.

4.3. CERT-In warns of critical SQL injection in WPRecovery WordPress plugin

CERT-In issued Vulnerability Note CIVN-2025-0292 on a Critical structured query language (SQL) injection flaw affecting the WPRecovery plugin for WordPress in versions up to and including 2.0 (two point zero), which an unauthenticated attacker could exploit via the unescaped "data[id]" parameter to append SQL statements, extract sensitive data and trigger deletion of arbitrary files through the PHP unlink() function, creating risks of database manipulation and Denial of Service (DoS) along with remote sensitive information disclosure.

4.4. CERT-In flags high-severity Android flaws enabling privilege escalation and code execution

CERT-In issued Vulnerability Note CIVN-2025-0293 on multiple High-severity issues in Google Android versions 13 (thirteen) to 16 (sixteen) that could allow attackers to gain elevated privileges or execute arbitrary code, with risks of data breaches and system crashes. The weaknesses span core Android (bug IDs) and vendor components referenced by Qualcomm, MediaTek, NVIDIA, Broadcom and UNISOC, and affect original equipment manufacturers (OEMs) and end users.

4.5. CERT-In warns of critical RCE and authentication-bypass flaws in Cisco Unified CCX

CERT-In issued Vulnerability Note CIVN-2025-0294 rating Critical, detailing 2 (two) flaws in Cisco Unified Contact Center Express (Unified CCX) where issues in the Java Remote Method Invocation (RMI) process allow unauthenticated attackers to upload arbitrary files, bypass authentication, execute arbitrary commands and potentially escalate privileges to root; the weaknesses include a remote code execution (RCE) bug (CVE-2025-20354) and an authentication-bypass bug (CVE-2025-20358), posing high risks of data manipulation and service disruption with impact on confidentiality, integrity and availability.

4.6. CERT-In issues critical advisory on IBM WebSphere vulnerabilities

CERT-In issued Vulnerability Note CIVN-2025-0290 on multiple Critical flaws in IBM WebSphere Application Server (WAS) versions 9.0 and 8.5 and WAS Liberty (Continuous Delivery). The issues stem from Oracle Java Standard Edition (Java SE) components including the Java API for XML Processing (JAXP) and Security modules. Successful exploitation could allow unauthorised access, manipulation or deletion of sensitive data, privilege escalation, exposure of application information, security-control bypass, and full compromise of affected WebSphere environments.

5. Tax

5.1. CBDT notifies Arm's Length Pricetolerance for AY 2025–2026

Ministry of Finance notified, under the Income-tax Act, 1961 and the Income-tax Rules, 1962, that for assessment year (AY) 2025–2026 the price at which an international or specified domestic transaction is undertaken shall be deemed the Arm's Length Price (ALP) if the variation does not exceed 1 (one) per cent for wholesale trading and 3 (three) per cent in all other cases; "wholesale trading" means purchase cost of finished goods is 80 (eighty) per cent or more of total cost and average monthly closing inventory is 10 (ten) per cent or less of sales, and the Central Board of Direct Taxes (CBDT) certified that the retrospective effect will not adversely affect any person.

6. Central Registry of Securitisation Asset Reconstruction and Security Interest of India (CERSAI)

6.1. DFS permits voluntary Aadhaar authentication by CERSAI for CKYCR

Ministry of Finance, Department of Financial Services (DFS) notified under the Aadhaar Authentication for Good Governance (Social Welfare, Innovation, Knowledge) Rules, 2020 and the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 that the Central Registry of Securitisation Asset Reconstruction and Security Interest of India (CERSAI), which performs the functions of the Central KYC Records Registry (CKYCR), may conduct Aadhaar authentication on a voluntary basis to verify only demographic details received from entities regulated by the Reserve Bank of India (RBI), Securities and Exchange Board of India (SEBI), Insurance Regulatory and Development Authority of India (IRDAI), International Financial Services Centres Authority (IFSCA), and Pension Fund Regulatory and Development Authority (PFRDA) under the Prevention of Money Laundering Act, 2002; the agency must obtain the Aadhaar holder's consent and cannot deny service if Aadhaar is refused, with alternate identification accepted such as Passport, Driving Licence, Voter's Identity Card, National Rural Employment Guarantee Act Job Card, and National Population Register letter. [DFS]