Search GrowthX Learning Content

Setting Up Compliance Systems for PMS Provider

blog

Portfolio Management Services (PMS) providers function within one of the most closely supervised sectors of India’s securities market. To safeguard investor interests and ensure transparency, the Securities and Exchange Board of India (SEBI) has laid down a detailed regulatory structure under the SEBI (Portfolio Managers) Regulations, 2020, supported by periodic amendments, Master Circulars, and compliance directives. These regulations define standards for registration, client handling, reporting, risk management, and operational integrity, ensuring PMS providers operate responsibly and maintain investor confidence.

A robust compliance system is vital not only to meet SEBI’s legal obligations but also to strengthen the provider’s credibility and efficiency. Proper governance, regular audits, data protection, and adherence to AML and cybersecurity guidelines help PMS entities avoid penalties, prevent reputational damage, and build long-term client trust. In essence, compliance serves as the foundation for smooth operations, sustainable growth, and regulatory confidence in the portfolio management industry.

In this article, CA Manish Mishra talks about Setting Up Compliance Systems for PMS Provider.

Legal Framework Governing PMS Providers

The regulatory ecosystem for Portfolio Management Services (PMS) providers in India is designed to ensure transparency, accountability, investor protection, and systemic integrity. SEBI, as the primary market regulator, has established a well-defined legal framework that lays down comprehensive rules for registration, governance, client servicing, reporting, and compliance. This framework combines several legislations, master circulars, and regulatory guidelines that PMS providers must follow to operate legally and ethically.

Primary Legislation

  • SEBI (Portfolio Managers) Regulations, 2020: This is the core regulation governing the PMS industry. It defines eligibility criteria, net worth requirements, client onboarding standards, reporting obligations, and investment restrictions. It also mandates segregation of client funds, appointment of compliance officers, and adherence to ethical conduct in portfolio management activities.

  • SEBI Master Circular for Portfolio Managers (July 16, 2025): SEBI periodically consolidates all circulars and clarifications into a single comprehensive document called the Master Circular. The 2025 version brings together operational guidelines, disclosure requirements, audit norms, cyber compliance, and risk management procedures to simplify regulatory adherence for PMS entities.

  • Prevention of Money Laundering Act, 2002 (PMLA): Under this Act, PMS providers are classified as “reporting entities”. They must conduct detailed Know Your Customer (KYC) checks, monitor suspicious transactions, maintain records, and report to the Financial Intelligence Unit (FIU-IND). The PMLA framework ensures PMS operations are free from money laundering or terrorism financing activities.

  • Digital Personal Data Protection Act, 2023 (DPDP Act): As PMS providers handle sensitive client information, the DPDP Act mandates strict data privacy, consent management, and information security measures. PMS firms are considered “Data Fiduciaries,” responsible for securing client data, preventing misuse, and reporting data breaches promptly.

Supporting Regulations and Circulars

  • SEBI (Intermediaries) Regulations, 2008: These regulations define the fit and proper criteria for intermediaries, ensuring that PMS providers and their key officials maintain integrity, competence, and financial soundness. It also prescribes a Code of Conduct emphasizing fair dealing and avoidance of conflicts of interest.

  • SEBI Cyber Security and Cyber Resilience Framework (2023): This framework mandates PMS entities to establish a robust cybersecurity infrastructure. It includes appointing a Chief Information Security Officer (CISO), implementing an Information Security Policy, and ensuring real-time monitoring of digital systems to safeguard against cyber threats.

  • SEBI Circular on Fee Disclosures and Transparency (2024): Issued to promote fairness, this circular requires PMS providers to clearly disclose their fee structures, performance-linked incentives, and exit load details. The goal is to prevent misrepresentation and ensure that clients fully understand the cost of services before investing.

  • SEBI AML/CFT Master Circular (June 2024): This circular consolidates all SEBI directives on Anti-Money Laundering (AML) and Counter Financing of Terrorism (CFT) compliance. It mandates periodic KYC updates, risk categorization of clients, and immediate reporting of suspicious transactions to relevant authorities.

Registration and Governance Compliance

For any Portfolio Management Services (PMS) provider, obtaining registration and maintaining strong governance standards is the cornerstone of regulatory compliance. The SEBI (Portfolio Managers) Regulations, 2020 lay down detailed provisions to ensure that only qualified, financially sound, and ethically responsible entities operate in the PMS space. Proper registration, appointment of key personnel, and establishment of board-level oversight mechanisms are critical to upholding investor confidence and regulatory integrity.

Registration Requirements

Under Regulation 3 of the SEBI (Portfolio Managers) Regulations, 2020, no entity can act as a PMS provider without obtaining registration from SEBI. To initiate this process, an applicant must submit Form A, along with the required application fees and supporting documentation. These documents include:

  • Proof of adequate infrastructure (office, technology systems, and qualified staff).

  • Details of the Principal Officer and key personnel demonstrating relevant expertise.

  • Disclosure of ownership pattern, proposed investment strategies, and internal control mechanisms.

SEBI reviews the application to assess the applicant’s “fit and proper” status as per the SEBI (Intermediaries) Regulations, 2008, ensuring financial integrity, experience, and professional competence. Once satisfied, SEBI issues a Certificate of Registration, granting legal authority to commence PMS activities in India.

Net Worth Criteria

Under Regulation 9, every PMS provider must maintain a minimum net worth of ₹5 crore at all times. This financial threshold ensures that only financially stable entities manage client portfolios. The net worth must be certified annually by a Chartered Accountant and reported to SEBI within prescribed timelines.

Failure to maintain the required net worth can have serious consequences — including restrictions on taking new clients, suspension of PMS registration, or even cancellation of license. To mitigate this risk, PMS providers should implement:

  • Quarterly internal monitoring of net worth levels.

  • Board reporting of financial health and capital adequacy.

  • Prompt corrective action plans in case of any shortfall.

This provision enhances financial accountability and assures investors that the PMS has adequate capital to absorb operational and market risks.

Appointment of Key Officials

SEBI mandates the appointment of competent personnel to oversee PMS operations, ensuring regulatory compliance and operational excellence.

  • Principal Officer (Regulation 7): The Principal Officer must have at least five years of experience in portfolio management, securities trading, investment advisory, or fund management. They must possess relevant professional qualifications such as CA, CFA, MBA (Finance), or equivalent. This role involves key responsibilities such as investment decision-making, risk control, and ensuring adherence to the PMS Regulations and client mandates.

  • Compliance Officer: Every PMS provider must designate a Compliance Officer who is responsible for monitoring adherence to SEBI regulations, PMLA requirements, and DPDP obligations. The Compliance Officer oversees internal audits, ensures regulatory filings are accurate and timely, maintains policy updates, and acts as a liaison between SEBI and the company.

The segregation of roles between the Principal Officer (strategic function) and the Compliance Officer (monitoring function) ensures balanced governance and avoids conflicts of interest within the organization.

Board Governance and Oversight

Strong governance is central to sustaining long-term compliance in the PMS industry. SEBI expects PMS entities to demonstrate board-level commitment toward risk management and regulatory supervision.

To achieve this, each PMS provider should:

  • Establish a Board-Level Risk & Compliance Committee: This committee should include independent directors and senior management. It must review regulatory developments, compliance reports, risk exposure, and audit observations periodically.

  • Conduct Quarterly Compliance Reviews: Regular internal audits and compliance checks must be conducted to verify adherence to SEBI’s operational, AML, cyber, and reporting requirements. Any deviations should be promptly escalated to the board for corrective action.

  • Maintain a Comprehensive Compliance Calendar: PMS providers must maintain a compliance tracker that captures periodic obligations under:

    • SEBI Regulations (quarterly filings, net worth certification, audit reports).

    • PMLA (STR/CTR filing and client due diligence).

    • DPDP Act (data protection reporting and breach notifications).

    • Tax laws (TDS, GST, and corporate filings).

A proactive governance framework not only prevents regulatory lapses but also fosters a culture of transparency and accountability within the organization.

Client Onboarding and Documentation Compliance

The client onboarding process is one of the most crucial stages in the operation of a Portfolio Management Services (PMS) provider. It sets the foundation for regulatory compliance, risk management, and client trust. The SEBI (Portfolio Managers) Regulations, 2020, along with the Prevention of Money Laundering Act (PMLA), 2002 and the SEBI AML/CFT Master Circular (June 6, 2024), lay down detailed procedures for client eligibility, documentation, and disclosures. Ensuring proper onboarding compliance protects both the PMS provider and the investor, while reducing the risk of fraud, money laundering, and misrepresentation.

Client Eligibility

Under Regulation 19 of the SEBI (Portfolio Managers) Regulations, 2020, every PMS provider must ensure that each client invests a minimum of ₹50 lakh, either in the form of cash or securities. This regulation ensures that PMS services are restricted to high-net-worth individuals (HNIs) and sophisticated investors who can understand and bear investment risks associated with portfolio management.

Before account activation, the PMS provider must:

  • Verify and document the client’s total investment amount.

  • Ensure compliance with the minimum investment limit for each client, including joint or family accounts.

  • Retain proof of funds or securities deposited.

Non-adherence to this threshold can invite regulatory scrutiny, leading to penalties or restrictions from SEBI. Hence, validating client eligibility is a mandatory first step in compliance.

Know Your Client (KYC) and AML Framework

The KYC and Anti-Money Laundering (AML) framework is governed by the Prevention of Money Laundering Act (PMLA), 2002, and detailed under the SEBI Master Circular on AML/CFT dated June 6, 2024. PMS providers are recognized as “reporting entities” under PMLA, meaning they are legally obligated to verify client identities, detect suspicious activities, and report them to the Financial Intelligence Unit – India (FIU-IND).

A robust KYC and AML process must include the following elements:

  • Risk-Based Client Due Diligence (CDD): Clients must be categorized based on their risk profile low, medium, or high depending on factors like geography, business type, and investment patterns.

  • Identification of Beneficial Owners (BOs): If the client is a company, trust, or partnership, the PMS provider must identify the natural persons who ultimately control or own the client entity.

  • Sanctions and PEP Screening: PMS providers must screen all clients against sanctions lists, including UN, FATF, and domestic PEP (Politically Exposed Persons) databases, before onboarding.

  • Suspicious Transaction Reporting (STR): Any unusual transaction that lacks an economic rationale, involves high-risk jurisdictions, or deviates from the client’s profile must be reported as an STR to FIU-IND without tipping off the client.

  • Record Maintenance: All KYC and transaction records must be preserved for five years from the end of the business relationship or the date of transaction, whichever is later.

By implementing a strong AML framework, PMS providers reduce their exposure to regulatory penalties and reputational damage while ensuring full compliance with SEBI and PMLA obligations.

Client Agreements and Disclosure Documents

Once client verification and due diligence are complete, PMS providers must execute legally compliant client agreements and disclosure documents.

Under Regulation 22 of the SEBI (Portfolio Managers) Regulations, 2020:

  • A written Client Agreement must be entered into before providing any PMS services.

  • The Disclosure Document must be filed with SEBI, updated regularly, and made available to all clients.

These documents establish transparency and define the rights and obligations of both parties. Key inclusions are:

  • Portfolio Objectives and Strategy: The investment strategy, asset allocation, and risk parameters must be clearly mentioned.

  • Risk Disclosures: Clients must be made aware of market, credit, and operational risks involved in PMS investments.

  • Fees and Charges: The agreement should specify management fees, performance fees (if applicable), brokerage, and other costs.

  • Termination and Exit Rights: Terms regarding account closure, withdrawal, and refund policies must be clearly stated.

  • Conflict of Interest: PMS providers must disclose any potential or existing conflicts, such as investments in related parties or associates.

  • Grievance Redressal Mechanism: Details of investor complaint handling procedures, escalation levels, and SEBI’s SCORES portal must be included.

Each client must receive a signed copy of the agreement, and digital or physical records must be maintained for regulatory audits. The Disclosure Document must be reviewed annually or upon any material change and refiled with SEBI as per the Master Circular.

Portfolio Operations and Investment Compliance

Effective portfolio operations and investment compliance are fundamental to ensuring that a Portfolio Management Services (PMS) provider functions transparently, ethically, and within SEBI’s regulatory framework. The SEBI (Portfolio Managers) Regulations, 2020 particularly Regulations 24 to 26 outline clear rules regarding client asset management, custodian appointments, investment restrictions, and fee structures. These provisions are designed to safeguard investor interests, maintain segregation of funds, and eliminate potential conflicts of interest.

Segregation of Client Assets

Under Regulations 24 and 25, a PMS provider must maintain complete segregation of funds and securities for each client. This means:

  • Each client’s account must be treated independently.

  • Pooling of funds across multiple clients or using one client’s assets to benefit another is strictly prohibited.

  • All securities and cash balances must be held in separate client-wise bank and demat accounts maintained with approved custodians.

Daily reconciliation of balances and a robust back-office system are necessary to ensure accurate tracking of each client’s holdings. Any deviation can invite regulatory action, as SEBI closely monitors whether PMS entities maintain investor-level transparency and asset separation.

Custodian Appointment

According to Regulation 26, every PMS provider must appoint a SEBI-registered custodian to hold client assets securely. The custodian’s role is critical to maintaining fiduciary safety and compliance with SEBI norms.

Key responsibilities include:

  • Safe custody of client securities and settlement of transactions.

  • Ensuring that PMS operations comply with segregation requirements.

  • Providing periodic reconciliations and transaction reports.

In addition, the PMS provider must conduct annual due diligence on the custodian to verify their SEBI registration, risk controls, and cyber-resilience measures. This ensures that the custodian’s internal systems meet the regulatory and operational standards required by SEBI.

Investment Restrictions

To prevent misuse of investor funds or related-party favoritism, SEBI imposes strict investment restrictions on PMS providers:

  • The total investment in associate or related party securities cannot exceed 30% of a client’s portfolio.

  • Investments in such entities must be made only after obtaining explicit client consent.

  • PMS providers must implement pre-trade and post-trade controls to ensure that all associate transactions stay within permissible limits.

This regulation aims to maintain fairness, minimize conflicts of interest, and ensure client-first investment decisions. PMS entities should document and justify every related-party transaction and maintain audit trails for SEBI inspection.

Fee Structure Compliance

SEBI strictly regulates the fee structure and disclosure mechanism for PMS providers to promote transparency and prevent client exploitation.

Key requirements include:

  • Performance Fees: Can only be charged on realized profits, not on mark-to-market gains. The high-water mark method must be used ensuring clients are not charged performance fees until earlier losses are recovered.

  • Upfront Fees: Any upfront or fixed fee must be clearly disclosed in writing and can only be charged after obtaining explicit client consent.

  • Standardized Fee Disclosure: As per the SEBI Circular (2024), all PMS providers must use a uniform fee format that specifies:

    • Management and performance fees.

    • Brokerage, custodian, and audit charges.

    • Exit load conditions and applicable taxes.
      Clients must sign an acknowledgment confirming their understanding of the fee structure before services commence.

This structure prevents misrepresentation and ensures clients are fully aware of all costs, fostering trust and compliance.

Risk Management and Internal Controls

An effective risk management and internal control framework is essential for any Portfolio Management Services (PMS) provider to ensure transparency, integrity, and investor protection. Since PMS providers handle substantial client investments, SEBI mandates a comprehensive structure to identify, measure, and mitigate financial, operational, and compliance risks. This includes formalizing board-approved investment policies, implementing fair order allocation mechanisms, and ensuring strict adherence to insider trading regulations. A robust internal control environment not only helps in regulatory compliance but also enhances operational efficiency and investor trust.

Investment Policy

Every PMS provider must have a Board-approved Investment Policy, reviewed at least once annually or whenever there are material changes in regulatory requirements or business strategy.

The investment policy serves as a blueprint for portfolio management and should clearly define:

  • Model Portfolios and Investment Objectives: The types of portfolios offered (e.g., discretionary, non-discretionary, advisory) along with their investment goals, benchmarks, and strategy rationale.

  • Risk Limits: Exposure limits for various asset classes, sectors, and instruments to prevent concentration risk.

  • Asset-Class Allocation: Percentage caps for equities, debt, mutual funds, or alternative instruments to maintain portfolio diversification.

  • Exit and Rebalancing Policies: Procedures for liquidating underperforming assets, switching strategies, or rebalancing portfolios to align with market conditions and client objectives.

The investment policy must align with Regulation 24 of the SEBI (Portfolio Managers) Regulations, 2020, ensuring that the PMS operates in a transparent and risk-controlled manner. Periodic policy reviews by the board help in keeping the investment process consistent, compliant, and adaptive to regulatory or market changes.

Order Management and Allocation

A PMS provider must ensure fairness and transparency in the execution and allocation of trades among clients. SEBI requires PMS entities to maintain a robust order management and execution policy to prevent favoritism, conflicts of interest, or client discrimination.

Key compliance measures include:

  • Fair Order Execution: All client orders must be executed at the best available price, ensuring equality in trade execution without giving undue advantage to any client, related entity, or internal account.

  • No Preferential Treatment: PMS providers are strictly prohibited from giving preferential treatment to select clients, related parties, or associates.

  • Audit Trail Maintenance: Maintain detailed order logs with timestamps, client identifiers, and execution records to ensure auditability during SEBI inspections.

  • Error Rectification Procedures: Any trade error must be promptly identified, documented, and corrected without impacting client interest.

Additionally, PMS providers should have pre-trade and post-trade compliance controls to verify order allocations and ensure they are consistent with the investment policy, client mandates, and SEBI guidelines.

Insider Trading and Personal Account Dealings

Given their access to sensitive financial and market information, PMS employees and associated persons are subject to the SEBI (Prohibition of Insider Trading) Regulations, 2015. SEBI requires PMS entities to establish a Code of Conduct for Prevention of Insider Trading, ensuring that all employees act ethically and avoid any misuse of unpublished price-sensitive information (UPSI).

Key compliance requirements include:

  • Pre-clearance of Trades: Employees, directors, and designated persons must obtain written approval from the Compliance Officer before executing any personal trades in securities that the PMS also invests in.

  • Restricted Securities List: The PMS must maintain a dynamic restricted list of securities under active consideration or investment to prevent trading by insiders during sensitive periods.

  • Periodic Surveillance and Reporting: The compliance team must conduct regular monitoring of employee trades, verify adherence to the Code of Conduct, and report any violations to SEBI as required.

  • Chinese Wall Policies: Clear separation between research, investment, and operations teams should be maintained to prevent information leakage.

These controls ensure ethical conduct, preserve client trust, and align with SEBI’s vision of a fair and transparent market ecosystem.

Reporting and Audit Obligations

Reporting and audit obligations form the foundation of regulatory compliance for any Portfolio Management Services (PMS) provider. SEBI mandates a transparent and time-bound reporting structure to ensure investor protection, operational accountability, and early detection of irregularities. Under the SEBI (Portfolio Managers) Regulations, 2020, specifically Regulations 30 and 31, PMS entities must maintain detailed records, conduct independent audits, and provide both regulators and clients with periodic performance and compliance reports. These obligations enhance investor confidence and reinforce SEBI’s supervisory framework over portfolio managers.

SEBI Reporting

SEBI requires PMS providers to submit off-site inspection data and other regulatory reports through the SEBI Intermediary Portal at prescribed intervals. The objective is to ensure that SEBI has real-time access to operational, financial, and compliance data of PMS entities.

The periodic reports must include:

  • Assets Under Management (AUM) details: Breakdown of discretionary, non-discretionary, and advisory portfolios.

  • Client Master Data: Client demographics, onboarding dates, and risk profiles.

  • Portfolio Statements: Holdings across asset classes, valuation details, and changes during the reporting period.

  • Transaction Records: Trade-level details including purchase, sale, and settlement data for audit verification.

PMS providers are also required to upload compliance certificates, risk management declarations, and custodian confirmations periodically. Any delays or discrepancies in reporting may attract penalties or inspection notices from SEBI. Hence, maintaining a robust compliance calendar and automated reporting systems is crucial for accuracy and timeliness.

Annual Audits

Under Regulation 30, every PMS provider must undergo an annual audit conducted by an independent Chartered Accountant. This audit ensures that the entity’s operations comply with SEBI’s regulations, internal controls, and client agreements.

The scope of the audit includes:

  • Verification of Investment Mandates: Ensuring portfolios are managed as per client objectives and risk profiles.

  • Segregation of Client Assets: Confirming proper separation of funds and securities for each client.

  • Review of Documentation: Examination of client agreements, disclosures, and transaction records for compliance accuracy.

  • Net Worth Verification: Certification of minimum ₹5 crore net worth and capital adequacy compliance.

The audit report must be submitted to SEBI within the prescribed time, typically within six months from the end of the financial year. Non-compliance or delays in submission may lead to regulatory scrutiny, restrictions on new business, or monetary penalties. Many PMS providers also conduct internal audits on a quarterly basis to proactively identify risks before the statutory audit.

Periodic Client Reporting

As per Regulation 31 of the PMS Regulations, 2020, every PMS provider is required to furnish quarterly reports to clients. These reports serve as a transparent communication tool, helping investors assess their portfolio performance and the PMS provider’s compliance with mandates.

Each report must include:

  • Portfolio Valuation and Performance: Details of current holdings, realized/unrealized gains, and comparison with the client’s investment objectives.

  • Fees and Charges: Breakdown of management, performance, and brokerage fees charged during the period.

  • Benchmark Comparison: Portfolio returns must be compared with a relevant benchmark to reflect relative performance.

  • Compliance Status: Disclosure of any deviations, corporate actions, or changes in investment strategy during the quarter.

PMS providers must deliver these reports electronically or in physical form as per client preference and maintain records of delivery acknowledgment for SEBI inspection.

Additionally, SEBI encourages monthly performance reporting and investor dashboards for enhanced transparency. Non-compliance with reporting standards may be viewed as a violation of investor protection norms under Section 15HA of the SEBI Act, 1992.

Cybersecurity and Technology Compliance

In an era where digital infrastructure underpins every aspect of financial services, Portfolio Management Services (PMS) providers face growing cybersecurity and data protection challenges. As custodians of large volumes of investor information and financial data, they must adhere to stringent SEBI-mandated cybersecurity norms and the Digital Personal Data Protection Act (DPDP), 2023. Robust technology compliance ensures not only operational resilience but also investor confidence and regulatory conformity.

SEBI Cyber Security Framework (2023)

Introduced in 2023, SEBI’s Cyber Security and Cyber Resilience Framework sets the baseline for technology governance and risk management in the PMS industry. It mandates all entities exceeding specified Assets Under Management (AUM) thresholds to implement strong digital protection and oversight mechanisms.

Key regulatory expectations include:

  • Appointment of a Chief Information Security Officer (CISO): Every PMS provider must designate a qualified CISO responsible for cybersecurity oversight, policy implementation, and incident escalation to SEBI.

  • Information Security Policy (ISP): The Board must approve a comprehensive ISP covering access control, encryption, data storage, vendor risk, and incident handling. This policy should be reviewed annually to adapt to emerging threats.

  • Incident Response & Business Continuity: A formal Incident Response Mechanism (IRM) and Disaster Recovery Plan (DRP) must be established to detect, report, and mitigate breaches swiftly. Entities must conduct annual mock drills to test preparedness.

  • Cyber Audits & Reporting: Periodic internal and external cyber audits are compulsory. Any cybersecurity incident must be reported to SEBI’s Information Security Department within 6 hours of detection.

This framework aims to ensure operational continuity, minimize investor data exposure, and promote responsible technology use among PMS entities.

SEBI Cyber Resilience Framework (2024–2025 Update)

Building on the 2023 policy, SEBI rolled out the Cyber Resilience Framework (CRF) in 2024, bringing a risk-based and scalable compliance model. The CRF introduces graded cyber controls proportional to an entity’s digital exposure, client base, and AUM.

Core components of the CRF include:

  • Data Classification & Protection: Entities must classify data as public, confidential, restricted, or critical, applying layered protection and encryption mechanisms for each category.

  • Multi-Factor Authentication (MFA): SEBI now mandates MFA for all privileged access systems, ensuring that login credentials alone cannot compromise sensitive information.

  • Comprehensive Log Management: PMS providers must maintain centralized Security Information and Event Management (SIEM) systems to record, analyze, and retain logs for at least 180 days.

  • Vulnerability and Penetration Testing (VAPT): Semi-annual third-party penetration testing and vulnerability scans are required to identify and remediate system weaknesses.

  • Regular Board Reviews: Cyber resilience reports must be presented to the board quarterly to evaluate compliance and threat trends.

Through these measures, SEBI ensures that PMS providers maintain “defense in depth”, combining proactive prevention with continuous monitoring and response mechanisms.

Data Privacy under the Digital Personal Data Protection (DPDP) Act, 2023

The Digital Personal Data Protection Act, 2023 introduces a new era of privacy governance, recognizing PMS providers as “Data Fiduciaries.” Under this role, they are legally responsible for ensuring fair, lawful, and transparent handling of investors’ personal data.

Key obligations include:

  • Consent and Lawful Processing: PMS providers must obtain clear, informed, and specific consent from clients before collecting or processing personal data. Data must be used only for legitimate purposes such as investment management or compliance reporting.

  • Purpose Limitation & Data Minimization: Only relevant and necessary data may be collected, ensuring minimal intrusion into clients’ privacy. Data retention beyond its intended use is strictly prohibited.

  • Data Breach Reporting: Any data breach must be reported within 72 hours to both the Data Protection Board of India (DPBI) and affected clients, detailing the incident’s impact and remedial actions.

  • Data Sharing & Vendor Governance: Contracts with third-party vendors or service providers must contain explicit data protection clauses, ensuring that outsourced entities follow equivalent privacy standards.

  • Rights of Data Principals (Clients): Clients have the right to access, correct, or delete their personal data, and PMS providers must establish mechanisms to facilitate these rights efficiently.

AML and Financial Crime Compliance 

Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) compliance form one of the most critical pillars of governance for Portfolio Management Services (PMS) providers. Given their role in managing large investment portfolios, PMS entities are exposed to risks of illicit fund flows, market manipulation, and money laundering. To mitigate these risks, SEBI mandates strict adherence to the Prevention of Money Laundering Act, 2002 (PMLA), the PMLA Rules, 2005, and the SEBI AML/CFT Master Circular (June 6, 2024).

The objective of AML compliance is to ensure transparency, detect suspicious activity, and prevent the misuse of capital markets for unlawful purposes. PMS providers must establish a comprehensive AML framework integrating risk-based due diligence, robust screening, and continuous employee awareness programs.

Key Legal Obligations

Under the PMLA, 2002, and related SEBI circulars, PMS providers are designated as reporting entities and are required to maintain detailed records, monitor transactions, and report suspicious activity to the Financial Intelligence Unit – India (FIU-IND).

Core obligations include:

  • Client Identification Records (CIR): PMS providers must maintain complete client identification records including KYC documents, beneficial ownership details, and transaction history for a minimum of five years after the end of the client relationship or the closure of the account.

  • Cash Transaction Reports (CTRs): All cash transactions exceeding ₹10 lakh, either individually or through a series of connected transactions, must be reported to FIU-IND within the prescribed time frame (usually 15 days from the end of the month).

  • Suspicious Transaction Reports (STRs): If a transaction appears inconsistent with a client’s known profile or has no apparent lawful purpose, an STR must be filed immediately with FIU-IND. The entity must not disclose the filing of an STR to the client or any unauthorized person, as it is a punishable offense under PMLA.

  • Enhanced Due Diligence (EDD): For high-risk clients, such as Politically Exposed Persons (PEPs), non-resident clients, or those from high-risk jurisdictions identified by the Financial Action Task Force (FATF), PMS providers must conduct additional scrutiny. This includes verifying the source of funds, monitoring transaction behavior, and obtaining senior management approval for onboarding or continuation.

Failure to comply with AML reporting or due diligence obligations may attract penalties under Section 13 of PMLA and disciplinary action by SEBI.

Screening and Monitoring

A critical aspect of AML compliance is ongoing screening and transaction monitoring to identify potential money laundering or terror financing patterns. PMS entities must implement automated tools or manual checks to continuously assess client and transaction risks.

Screening Requirements:

  • FATF Lists: All clients must be screened against the latest Financial Action Task Force (FATF) public statements and lists of high-risk and non-cooperative jurisdictions.

  • UN Sanctions Lists: PMS providers must verify that clients or beneficial owners are not listed on UN Security Council Sanctions lists or those maintained under Section 51A of the Unlawful Activities (Prevention) Act, 1967.

  • Domestic Watchlists: Entities must also monitor against domestic lists such as the Ministry of Home Affairs (MHA) Designated Individuals/Entities List and other law enforcement databases.

Ongoing Monitoring:
All PMS transactions must be regularly reviewed to detect:

  • Unusual or large-value transfers inconsistent with client profiles.

  • Frequent inflows and outflows lacking economic rationale.

  • Cross-border transactions involving tax havens or high-risk regions.

Automated monitoring systems should flag such activities for review by the Compliance Officer, who must determine whether they warrant STR filing.

Training and Awareness

A strong AML program depends not only on systems but also on staff competence and awareness. SEBI mandates PMS providers to conduct periodic training to ensure that all employees understand AML/CFT regulations, red flag indicators, and reporting procedures.

Key training obligations include:

  • Annual AML Training: Every employee, especially those involved in client interaction, compliance, and operations, must undergo AML and CFT training at least once a year. This should cover identification of suspicious patterns, KYC norms, and reporting obligations.

  • Compliance Officer’s Role: The Compliance Officer must oversee the training framework, maintain attendance and certification records, and conduct annual reviews to evaluate the effectiveness of AML controls.

  • Periodic Refresher Programs: Additional refresher sessions must be organized whenever there are regulatory amendments, FIU-IND advisories, or SEBI circular updates.

By fostering a culture of vigilance and accountability, PMS providers can significantly reduce financial crime risks and maintain their credibility in the eyes of regulators and investors.

Data Governance and Outsourcing Controls

With increasing digitization and reliance on third-party service providers, Portfolio Management Services (PMS) entities are required to establish a strong framework for data governance and outsourcing management. SEBI recognizes that while outsourcing can enhance operational efficiency, it also introduces significant risks particularly in areas related to data security, investor confidentiality, and regulatory accountability. Therefore, PMS providers must ensure that all outsourcing arrangements comply with SEBI’s Outsourcing Guidelines, SEBI (Portfolio Managers) Regulations, 2020, and other relevant circulars that safeguard client interests and ensure transparency.

Outsourcing Guidelines

SEBI’s Circular on Outsourcing by Intermediaries (latest update: December 2023) lays down the core principles governing outsourcing of functions by PMS entities. The circular defines outsourcing as the use of a third-party service provider to perform tasks or processes that would otherwise be conducted internally. However, SEBI emphasizes that outsourcing does not diminish the PMS provider’s responsibility toward clients or regulatory compliance.

Key Requirements:

  • Prior Due Diligence of Vendors: Before entering into any outsourcing agreement, PMS providers must conduct a comprehensive risk assessment of the vendor. This includes evaluating the vendor’s financial stability, technical competence, data protection standards, and past regulatory compliance record. The due diligence must be documented and periodically reviewed.

  • No Outsourcing of Core Investment Functions: SEBI expressly prohibits outsourcing core investment management or decision-making functions, such as portfolio construction, asset allocation, or client suitability analysis. These functions must be performed directly by the Principal Officer or the authorized investment team within the PMS. Outsourcing is permitted only for support and administrative functions such as IT services, data storage, record maintenance, and back-office operations.

  • Confidentiality and Audit Rights in Contracts: All outsourcing contracts must contain specific clauses to:

    • Protect client data and maintain strict confidentiality.

    • Grant SEBI, auditors, and PMS internal compliance officers the right to inspect or audit vendor records at any time.

    • Require vendors to comply with SEBI regulations and promptly report any breaches, data leaks, or disruptions.

Additionally, the PMS provider must ensure that vendors do not engage in sub-outsourcing without written approval, and that operational continuity is maintained even if a vendor relationship is terminated.

Record Keeping

A robust record-keeping and data retention system is essential for ensuring compliance transparency and facilitating SEBI audits or client dispute resolution. Under Regulation 27 of the SEBI (Portfolio Managers) Regulations, 2020, and corresponding SEBI circulars, PMS providers must maintain comprehensive and retrievable records of all operational and investment-related activities.

Key Requirements:

  • Retention Period: PMS entities must retain all relevant documents including client communications, investment decisions, trade confirmations, KYC details, portfolio statements, and audit trails for a minimum of five years after the completion of a transaction or termination of the client relationship, whichever is later.

  • Digital and Physical Backups: To ensure data security and business continuity, PMS providers must maintain both physical and digital backups of all records. Digital backups should be encrypted, password-protected, and stored on secure servers preferably within India to comply with SEBI’s data localization norms.

  • Audit Trail Maintenance: Every investment decision, transaction approval, and communication with clients or custodians must leave a verifiable audit trail. This enables SEBI and internal auditors to trace the decision-making process in case of regulatory inquiries or client grievances.

  • Data Accessibility and Retrieval: All records must be easily retrievable for SEBI inspections, annual audits, and internal reviews. PMS providers should adopt document management systems (DMS) that ensure quick access, data integrity, and tamper-proof storage.

Regulatory Inspections and Enforcement Preparedness

Regulatory inspections form an integral part of SEBI’s supervision of Portfolio Management Services (PMS) providers. These inspections ensure that intermediaries adhere to the SEBI (Portfolio Managers) Regulations, 2020, comply with AML standards, and maintain transparency in client dealings. PMS entities are required to maintain comprehensive records, internal controls, and documentation to demonstrate compliance at all times. Failure to do so can result in regulatory penalties, suspension, or even cancellation of registration.

SEBI Inspections

SEBI conducts both onsite and offsite inspections to evaluate compliance with its rules, circulars, and codes of conduct.

  • Onsite Inspections: SEBI officials physically visit the PMS office to review records, interview key personnel, and verify operational practices.

  • Offsite Inspections: SEBI collects data through the Intermediary Portal, such as transaction records, audit reports, and client statements, to assess ongoing compliance remotely.

The inspections generally focus on the following areas:

  • Client Accounts: Verification of KYC records, investment mandates, and adherence to the minimum investment limit of ₹50 lakh.

  • Fee Computation: Ensuring that performance and management fees are charged as per Regulation 22 and SEBI’s 2024 circular on fee disclosure and client consent.

  • AML Processes: Reviewing client onboarding, STR/CTR filings, and effectiveness of ongoing monitoring under the PMLA framework.

  • Cybersecurity Compliance: Examining data protection measures, information security policies, and reporting timelines for cyber incidents.

PMS entities must cooperate fully during inspections, provide requested documents promptly, and address deficiencies within the time specified by SEBI.

Consequences of Non-Compliance

Non-compliance identified during inspections can have serious repercussions under the SEBI Act, 1992, and related regulations. Depending on the severity and recurrence of violations, SEBI may take enforcement actions, such as:

  • Monetary Penalties: Under Section 15HA of the SEBI Act, 1992, SEBI can impose penalties for fraudulent or unfair trade practices, misrepresentation, or non-adherence to disclosure norms. Penalties may extend up to ₹1 crore or three times the profit gained, whichever is higher.

  • Suspension of Registration: Under Regulation 29 of the SEBI (Portfolio Managers) Regulations, 2020, SEBI can suspend a PMS provider’s registration for repeated or serious non-compliance, restricting it from conducting business until deficiencies are rectified.

  • Prohibition on Onboarding New Clients: As an interim measure, SEBI may prohibit PMS providers from taking on new clients until existing compliance lapses are resolved or pending investigations are completed.

  • Reputational Consequences: Any enforcement order passed by SEBI is made public, which can damage investor trust and business relationships.

Thus, maintaining ongoing compliance and proactive self-audits is crucial to avoid disciplinary actions.

Common Lapses Observed by SEBI

Through multiple inspections and enforcement actions, SEBI has identified recurring lapses among PMS entities. Recognizing these pitfalls can help providers strengthen their compliance frameworks:

  • Inadequate Segregation of Client Assets: Some PMS entities have failed to properly segregate client funds and securities, violating Regulations 24 and 25. Using pooled accounts or combining assets of multiple clients is strictly prohibited.

  • Misleading Performance Reporting: Instances where PMS entities misrepresented portfolio performance, omitted benchmark comparisons, or used inconsistent valuation methodologies have led to investor complaints and regulatory action. Accurate and transparent reporting under Regulation 31 is mandatory.

  • Improper AML Documentation: SEBI has frequently observed lapses in client identification, beneficial ownership verification, and delayed STR filings. Non-adherence to PMLA, 2002, and SEBI AML/CFT Master Circular (2024) remains one of the most common compliance failures.

  • Non-Submission of Quarterly Filings: Some PMS providers fail to submit quarterly compliance reports or delay mandatory filings via the SEBI Intermediary Portal, which constitutes a direct breach of Regulation 30.

SEBI emphasizes that such deficiencies reflect weak internal control systems and can trigger detailed forensic audits or even criminal referrals in severe cases.

Building a Robust Compliance Culture

A robust compliance culture forms the backbone of every successful and sustainable Portfolio Management Services (PMS) organization. Beyond regulatory adherence, it reflects a firm’s commitment to ethical governance, transparency, and investor protection. Compliance should not merely be viewed as a statutory obligation but as an organizational value that permeates every level from the Board of Directors to the front-line staff.

A strong compliance culture helps PMS providers proactively identify risks, ensure alignment with SEBI regulations, PMLA, DPDP Act, and global standards such as FATF, while maintaining investor trust and regulatory goodwill. This can be achieved through structured governance frameworks, dynamic monitoring mechanisms, and employee accountability systems.

Compliance Governance Framework

A well-designed Compliance Governance Framework ensures that regulatory requirements are systematically translated into actionable policies and monitored effectively. PMS providers should institutionalize a Compliance Manual that clearly maps every SEBI regulation, circular, and internal policy to corresponding control procedures.

Key elements of an effective compliance governance structure include:

  • Comprehensive Compliance Manual: This manual should serve as a living document, detailing all applicable laws — including SEBI (Portfolio Managers) Regulations, 2020, SEBI Master Circulars, PMLA, and DPDP Act obligations and how the organization implements them. Each compliance area (e.g., AML, cybersecurity, fee disclosure, data privacy) must be mapped to responsible departments and internal controls.

  • Compliance Testing Programme:A Compliance Testing Programme (CTP) involves conducting periodic, sample-based reviews of transactions, reports, and records to verify real-world adherence to policies. For example, testing random client accounts to check whether KYC verification and risk categorization are accurately implemented. This helps identify control gaps and pre-empt regulatory breaches.

  • Quarterly Compliance Certifications: SEBI expects senior management to demonstrate oversight and accountability. Hence, PMS entities should implement quarterly compliance certifications, jointly signed by the Principal Officer and Compliance Officer, confirming adherence to all applicable regulations. These certifications should also be presented to the Board’s Risk and Compliance Committee for review.

Such structured governance enhances internal control reliability, promotes transparency, and reduces the risk of non-compliance during SEBI inspections or audits.

Continuous Monitoring

In the rapidly evolving regulatory landscape, continuous monitoring is important to maintaining compliance accuracy. PMS providers must remain vigilant to changes across SEBI circulars, FATF recommendations, DPDP notifications, and tax regulations that can directly or indirectly impact portfolio management operations.

Best practices for continuous monitoring include:

  • Regulatory Change Tracker: Maintain a centralized Regulatory Change Tracker a dynamic database that records new SEBI circulars, amendments, and guidance notes. Each change should trigger an internal review to assess impact and update relevant policies or client documentation.

  • Automated Alert Systems: Leverage compliance management tools that generate alerts for upcoming filing deadlines, SEBI submissions, and audit due dates. Automation ensures timely action and prevents lapses.

  • Inter-Departmental Coordination: Compliance officers should coordinate closely with operations, investment, and IT teams to ensure new regulatory developments such as revised cyber norms or fee disclosure requirements are implemented seamlessly across systems.

This proactive monitoring framework not only ensures compliance currency but also positions the PMS provider as a responsible and adaptive market participant.

Employee Accountability

A compliance culture is only as strong as the people who uphold it. Embedding accountability within the workforce ensures that compliance responsibilities are treated with the seriousness they deserve.

Essential measures to strengthen employee accountability include:

  • Whistle-blower Policy: Introduce a transparent Whistle-blower Policy allowing employees, vendors, or clients to report unethical practices, policy breaches, or frauds anonymously. Whistle-blower protection ensures that issues are reported early without fear of retaliation, helping prevent reputational and regulatory damage.

  • Code of Conduct: Every employee must adhere to a Code of Conduct that outlines acceptable professional behavior, confidentiality requirements, and conflict-of-interest policies. The Code should also align with SEBI’s fit and proper person criteria under the SEBI (Intermediaries) Regulations, 2008.

  • Performance-Linked Compliance KPIs: PMS providers should integrate compliance metrics into employee performance evaluations, particularly for senior management and compliance-sensitive roles. For example, adherence to regulatory timelines, audit findings, and zero tolerance for non-compliance incidents can form part of annual performance assessments.

This performance-based accountability ensures compliance is not just a departmental function but a shared responsibility across the organization.

Recent Developments (2024–2025)

The regulatory for Portfolio Management Services (PMS) providers in India continues to evolve rapidly, reflecting SEBI’s focus on investor protection, technological adaptation, and data security. Between 2024 and 2025, several critical developments were introduced to strengthen the compliance ecosystem, enhance operational transparency, and align with global financial governance standards. PMS providers must now integrate these changes into their internal frameworks to ensure seamless compliance and maintain regulatory credibility.

SEBI Master Circular for Portfolio Managers (July 2025)

In July 2025, SEBI issued a Master Circular for Portfolio Managers, consolidating all previous circulars, guidelines, and clarifications into a unified compliance framework. The purpose was to streamline regulatory interpretation and ensure consistent implementation across the PMS industry.

Key highlights include:

  • Integrated Compliance Framework: Combines AML (Anti-Money Laundering), Cybersecurity, Operational, and Reporting obligations into one structured circular.

  • Simplified Reporting: Standardized templates for reporting to SEBI through the Intermediary Portal, including quarterly compliance certificates, AUM disclosures, and client portfolio reports.

  • Enhanced Risk Management: Introduced mandatory board-level oversight on investment and operational risk management.

  • Alignment with PMLA and DPDP Act: Reinforced the requirement for maintaining client identification records, data protection controls, and cybersecurity incident reporting.

This circular marked a major regulatory milestone, enabling PMS providers to operate under a clear, consolidated compliance structure, reducing overlap and ambiguity across multiple SEBI directives.

SEBI Cyber Resilience Framework (August 2024)

To address the growing digital threats faced by financial intermediaries, SEBI launched the Cyber Resilience Framework (CRF) in August 2024. Building upon the 2023 Cybersecurity Framework, the CRF introduced a graded risk-based approach designed to strengthen technological infrastructure and improve incident preparedness.

Key Provisions:

  • AI-Driven Risk Monitoring: Mandated the use of Artificial Intelligence and Machine Learning (AI/ML) tools for real-time threat detection and behavioral analytics.

  • Data Security Enhancement: Required encryption of all sensitive investor data at rest and in transit.

  • Cyber Incident Reporting: Entities must report any cyber breach within six hours to SEBI’s Information Security Department, followed by a root cause analysis report.

  • System Resilience Testing: Annual penetration testing and business continuity simulations became compulsory for all entities exceeding specified AUM thresholds.

This framework signaled SEBI’s commitment to proactive digital risk governance, ensuring that PMS entities maintain high resilience, quick recovery, and minimal client impact in the event of cyber incidents.

DPDP Act Implementation (2025)

The Digital Personal Data Protection Act (DPDP), 2023, entered its active implementation phase in 2025 with the notification of draft rules and operational guidelines. The Act, India’s first comprehensive privacy legislation, imposes significant obligations on financial intermediaries, including PMS providers, who are now legally recognized as “Data Fiduciaries.”

Key Compliance Requirements:

  • Mandatory Appointment of Data Protection Officer (DPO): PMS providers handling large volumes of client data must appoint a DPO to oversee compliance with data protection laws and manage client grievances.

  • Consent and Data Minimization: PMS entities must obtain explicit client consent for collecting and processing personal data, ensuring that only essential information is gathered for regulatory or operational purposes.

  • 72-Hour Breach Notification Rule: Any personal data breach must be reported to the Data Protection Board of India (DPBI) and affected clients within 72 hours.

  • Cross-Border Data Transfer Restrictions: Data transfers outside India are subject to government-approved jurisdictions, ensuring that investor information remains secure.

With penalties of up to ₹250 crore per violation, PMS providers are now under greater scrutiny to build robust data governance and privacy frameworks.

Enhanced Disclosure Norms (October 2024)

To further improve transparency and comparability among PMS offerings, SEBI issued Enhanced Disclosure Norms in October 2024. These norms standardized how PMS providers report performance, fees, and benchmarks to investors.

Key Mandates:

  • Standardized Client Reporting Format: All client reports must follow a uniform format specifying portfolio value, returns, fees, benchmark performance, and risk ratios.

  • Benchmark Selection Guidelines: PMS providers must select benchmarks reflective of their actual investment strategies (e.g., NIFTY 500 for diversified equity portfolios) and disclose the rationale behind their choice.

  • Fee Disclosure Template: Providers are required to give a detailed breakdown of all charges — management fees, performance-linked fees, and other expenses — in both client agreements and quarterly statements.

  • Performance Audit Disclosure: Annual performance must be certified by an independent auditor, ensuring the accuracy of reported returns.

These measures were introduced to eliminate misleading performance claims, reduce conflicts of interest, and empower investors with clearer insights into portfolio performance.

Conclusion

Compliance in the Portfolio Management Services (PMS) industry is no longer a passive or back-office function it has evolved into a strategic pillar that defines operational integrity, investor confidence, and business sustainability. Establishing a robust compliance framework requires integrating multiple layers of regulation SEBI (Portfolio Managers) Regulations, 2020, AML and PMLA laws, the Digital Personal Data Protection Act, 2023, and SEBI’s Cyber Resilience Framework (2024) into day-to-day operations, supported by vigilant monitoring and transparent governance.

To stay future-ready, PMS providers must adopt a compliance-first culture, led by competent officers, strong internal controls, advanced technology systems, and board-level oversight. Aligning with the Master Circular (2025) and upcoming data protection mandates not only ensures regulatory safety but also strengthens credibility. In essence, compliance is not a burden but a strategic investment one that builds trust, drives transparency, and anchors the long-term stability of every PMS enterprise.

Frequently Asked Questions (FAQs)

Q1. What laws govern Portfolio Management Services (PMS) in India?

Ans. PMS in India is primarily governed by the SEBI (Portfolio Managers) Regulations, 2020, along with the Master Circular for Portfolio Managers (July 16, 2025), issued by SEBI. Additionally, PMS providers must comply with the Prevention of Money Laundering Act, 2002 (PMLA), Digital Personal Data Protection Act, 2023 (DPDP Act), and SEBI’s Cyber Security and Cyber Resilience Framework (2023–24).

Q2. What is the minimum net worth required for a PMS provider?

Ans. As per Regulation 9 of the SEBI (Portfolio Managers) Regulations, 2020, every PMS provider must maintain a minimum net worth of ₹5 crore. The net worth must be certified annually by a Chartered Accountant and reported to SEBI. Falling below this threshold can result in restrictions or suspension of new client onboarding.

Q3. Who are the key compliance officials in a PMS organization?

Ans. Two roles are mandatory under the PMS Regulations:

  • Principal Officer (Regulation 7): A senior official with a minimum of five years’ relevant experience.

  • Compliance Officer: Responsible for monitoring adherence to SEBI regulations, internal policies, AML norms, and data protection obligations.

Q4. What is the minimum investment required per PMS client?

Ans. Under Regulation 19, the minimum investment required from each client is ₹50 lakh, either in cash or securities. Compliance teams must ensure this threshold is met before activating any PMS account.

Q5. What are the key Anti-Money Laundering (AML) obligations for PMS providers?

Ans. PMS providers are “reporting entities” under the Prevention of Money Laundering Act, 2002 (PMLA). They must:

  • Conduct Customer Due Diligence (CDD) and identify Beneficial Owners (BOs).

  • File Suspicious Transaction Reports (STRs) and Cash Transaction Reports (CTRs) with FIU-IND.

  • Maintain KYC and transaction records for at least five years.

  • Train employees regularly on AML compliance procedures.

Q6. What cybersecurity measures must PMS providers adopt?

Ans. Under the SEBI Cyber Security and Cyber Resilience Framework (2023) and the 2024 graded CSCRF guidelines, PMS entities must:

  • Appoint a Chief Information Security Officer (CISO).

  • Implement a board-approved information security policy.

  • Conduct regular vulnerability assessments, incident reporting, and disaster recovery testing.

  • Comply with SEBI’s reporting timelines for any cyber incident or data breach.

Q7. How often must a PMS provider submit reports to SEBI?

Ans. PMS providers must file quarterly offsite reports, including AUM, transactions, and client details through SEBI’s intermediary portal. Additionally, an annual compliance audit report must be filed under Regulation 30, certified by an independent Chartered Accountant.

Q8. How does the Digital Personal Data Protection Act, 2023, affect PMS providers?

Ans. The DPDP Act classifies PMS providers as Data Fiduciaries responsible for:

  • Processing client data only with lawful consent.

  • Ensuring data security, purpose limitation, and minimal collection.

  • Appointing a Data Protection Officer (DPO) where applicable.

  • Reporting data breaches within 72 hours.
    Non-compliance may lead to financial penalties under the DPDP Act.

Q9. What are the consequences of non-compliance with SEBI regulations?

Ans. Failure to adhere to PMS Regulations can attract penalties under Section 15HA of the SEBI Act, 1992, and may lead to:

  • Suspension or cancellation of registration.

  • Prohibition from onboarding new clients.

  • Monetary penalties and public censure.

  • Increased scrutiny during SEBI inspections and audits.

Q10. What are SEBI’s latest updates for PMS providers in 2025?

Ans. Recent developments include:

  • Master Circular (July 2025): Consolidated PMS compliance and reporting framework.

  • Cyber Resilience Framework (2024): Advanced AI-driven data monitoring.

  • Fee Disclosure Standardization (2024): Uniform format for client reporting.

  • DPDP Compliance (2025): Integration of personal data protection with PMS operational policies.

CA Manish Mishra is the Co-Founder & CEO at GenZCFO. He is the most sought professional for providing virtual CFO services to startups and established businesses across diverse sectors, such as retail, manufacturing, food, and financial services with over 20 years of experience including strategic financial planning, regulatory compliance, fundraising and M&A.