AKP Corporate & Compliance Digest January 27, 2026

We are delighted to share this week's AKP Corporate & Compliance Weekly Digest. Please feel free to write to us with your feedback at info@akandpartners.in.

1. Labour Law

1.1. EPFO further extends December wage-month ECR filing timeline

Employees' Provident Fund Organisation (EPFO) issued a circular extending the due date for filing the Electronic Challan-cum-Return ("ECR") and remitting dues for the wage month of December 2025 up to January 22, 2026, citing technical and operational difficulties faced by employers. It stated that no interest or damages would be levied if the ECR filing and payment are completed within the extended timeline and indicated that statutory default would be reckoned from January 15, 2026, for this wage month.

2. Stamp Duty

2.1. Karnataka notifies Digital E-Stamping via Kaveri-2 for stamp duty payments

The Government of Karnataka notified that, under the Karnataka Stamp (Digital e-Stamp) Rules, 2025, the Registration and Stamps Department's Kaveri-2 software module has been designated as the "Digital e-Stamp Application" for providing digital e-stamp services to the public. The notification notes that the move is intended to improve security and transparency in stamp duty payment and reduce misuse such as forged stamps and fraudulent certificates that can cause revenue loss. The gazette publication is dated January 19, 2026, and references the underlying rules notified on August 7, 2025. [KA1]

2.2. Kanpur Nagar amends circle rate schedule under Uttar Pradesh Stamp (Property Valuation) Rules, 1997

The District Magistrate, Kanpur Nagar issued orders dated January 22, 2026, to partially revise the district's circle rate list and valuation provisions (earlier effective from September 6, 2025) after considering objections received during the review process, with the revised schedule taking effect from January 23, 2026. The revision updates the methodology for valuing roof or terrace areas in buildings by linking valuation to floor level, including applying 75 per cent (seventy-five per cent), 60 per cent (sixty per cent), 50 per cent (fifty per cent), 40 per cent (forty per cent) and 30 per cent (thirty per cent) of the applicable rate depending on the floor, and also revises certain category-wise and locality-wise valuation parameters used for stamp duty assessment and registration. [UP]

2.3. Uttar Pradesh expands stamp duty exemptions for bioplastic units

The stamp and registration department approved relief on stamp duty for non-anchor bioplastic units, including up to 100 per cent (one hundred per cent) exemption in certain locations. Sub-registrars were asked to provide 100 per cent (one hundred per cent) exemption in Purvanchal and Bundelkhand, 75 per cent (seventy-five per cent) in western Uttar Pradesh (excluding Ghaziabad and Noida), and 50 per cent (fifty per cent) in Ghaziabad and Noida.

3. Stock Exchanges

3.1. NSE issues annual calendar for settlement of clients' running account funds for FY 2026-27

National Stock Exchange of India Limited ("NSE") has issued an annual calendar for settlement of running account of clients' funds lying with trading members for financial year 2026-27, pursuant to paragraph 3.2 and 6.3 of the Securities and Exchange Board of India ("SEBI") circular dated December 28, 2023, on "Settlement of Running account of clients' funds lying with the Trading Members". For quarterly settlements, the prescribed windows are April 17, 2026, and/or April 18, 2026 (Q1), July 3, 2026, and/or July 4, 2026 (Q2), October 16, 2026, and/or October 17, 2026 (Q3), and January 1, 2027, and/or January 2, 2027 (Q4), falling on Friday and/or Saturday. For monthly settlements, the dates are April 17, 2026 and/or April 18, 2026; May 15, 2026 and/or May 16, 2026; June 5, 2026 and/or June 6, 2026; July 3, 2026 and/or July 4, 2026; August 7, 2026 and/or August 8, 2026; September 4, 2026 and/or September 5, 2026; October 16, 2026 and/or October 17, 2026; November 6, 2026 and/or November 7, 2026; December 4, 2026 and/or December 5, 2026; January 1, 2027 and/or January 2, 2027; February 5, 2027 and/or February 6, 2027; and March 5, 2027 and/or March 6, 2027, and trading members have been advised to take note and comply.

3.2. NSE revises client collateral segregation reporting schedule due to Union Budget live trading session

NSE through a circular informed all members and custodians that because the Union Budget will be presented on Sunday, February 1, 2026, the cut-off dates for client collateral segregation reporting have been adjusted. The circular sets the cut-off date as February 2, 2026, for trade dates January 30, 2026, January 31, 2026, and February 1, 2026, and as February 3, 2026, for the trade date February 2, 2026. It also clarifies that non-submission of client collateral will be treated as non-compliance and penalties for non-submission will apply, and requests members to adhere to the revised timelines.

3.3. BSE issues annual calendar for settlement of clients' funds under running account framework

Bombay Stock Exchange Limited ("BSE"), through a notice, informed trading members that, pursuant to paragraph 48 of the SEBI Master Circular No. SEBI/HO/MIRSD/MIRSD-PoD/P/CIR/2025/90 dated June 17, 2025 on settlement of running account of clients' funds lying with trading members, exchanges have jointly prescribed the annual calendar for settlement of the running account (quarterly and monthly) for the financial year 2026–27, enclosed as Annexure A. BSE advised trading members to take note and comply, and provided inspection contact details for queries.

3.4. BSE levies charges for non-upload of TWS/ETI/BOLTPLUS terminal location information

BSE, through a notice informed trading members that it has downloaded the charges file for the month of December 2025 for instances where orders were placed from TWS/ETI/BOLTPLUS terminals whose locations were not registered or were incorrectly registered with the Exchange. BSE stated that such location codes attract a financial disincentive of INR 1,000 (Indian Rupees One Thousand only) per instance, and that the charges file (LCS1225.xxxx for December 2025) has been placed in the EQUITY TRANSACTION folder on Extranet and the amounts indicated will be debited to the General Charges Account. BSE advised trading members to ensure strict compliance by uploading terminal location details to the Exchange before punching orders from any location. [BSE]

3.5. NSDL enables e-PASS download of deceased investors' PAN details for participants

National Securities Depository Limited ("NSDL") informed participants that it has added a facility on the NSDL e-PASS portal to download details of deceased investors based on demise-related Permanent Account Number ("PAN") data received from KYC Registration Agencies ("KRAs"), aligned with the SEBI's framework on centralised reporting of an investor's demise through KRAs. The data will be available on a date-wise basis for the dates on which the information was received from the KRAs, and participants must download and save it because it will remain accessible only for the last 15 (fifteen) days. NSDL clarified that data received from the KRAs up to January 2, 2026 will be made available under the date January 5, 2026, and existing maker and checker users can access the feature using their current e-PASS login credentials by navigating to iAssist, then Downloads, and selecting "Demise cases reported at KRA" to search by date range and download the relevant file.

3.6. NSDL to freeze demat accounts where KRA validation finds KYC non-compliance

NSDL by a circular informed Depository Participants ("DP") that KRAs have shared a list of Know Your Customer ("KYC") records found invalid for various reasons, including invalid PANs, for new PANs updated in the KRA system between December 1, 2025, and December 31, 2025. Based on data made available by KRAs on January 6, 2026, NSDL has uploaded DP-wise demat account details on the NSDL e-PASS portal under "Non-Complied KYC KRA Accounts" (file name: "Non-Complied_KYC_KRA_Accounts_Dec_2025") for participants to review and follow up with clients. NSDL stated that the identified demat accounts will be frozen as "Suspended for debit and credit" on January 31, 2026, considering updated data expected from KRAs on January 30, 2026, and advised participants to intimate affected clients via letter, email, short message service (SMS), or other modes, and to follow the de-suspension process.

3.7. NSE reminds trading members to submit cyber security and cyber resilience audit reports

NSE issued a circular reminding trading members to submit the Cyber Security and Cyber Resilience Audit Report for the half year ended September 30, 2025, on or before January 31, 2026. The requirement is mandatory for trading members falling under Qualified Regulated Entities ("REs") and Mid-size REs or Small size REs that provide Internet Based Trading (IBT) or algorithmic trading facilities. NSE stated that submissions must be made electronically through the Member Portal and warned that failure to comply may attract penalty or disciplinary action under its earlier inspection circular dated November 10, 2025, as also reiterated through its circular dated December 24, 2025.

4. Information Technology

4.1. CERT-In flags high-severity denial-of-service vulnerabilities in Red Hat JBoss

The Indian Computer Emergency Response Team ("CERT-In") on January 20, 2026 issued Vulnerability Note CIVN-2026-0033 warning of multiple vulnerabilities in Red Hat JBoss Enterprise Application Platform 7.1 EUS (x86_64) that could be exploited remotely to cause denial-of-service (DoS) on targeted systems, with a high risk of service disruption and potential unauthorised access impacts for enterprises using JBoss products. CERT-In stated the issues arise from a boundary error when parsing deeply nested JSON files and a resource exhaustion flaw when handling HTTP/2 requests, which could be triggered through specially crafted requests. CERT-In advised affected organisations to apply vendor patches referenced in Red Hat advisory RHSA-2026:0742 and listed the associated vulnerabilities as CVE-2025-52999 and CVE-2025-55163.

4.2. CERT-In flags critical remote code execution vulnerability in Fortinet FortiSIEM

CERT-In on January 20, 2026, issued Vulnerability Note CIVN-2026-0035 warning of a critical remote code execution vulnerability in Fortinet FortiSIEM affecting versions 7.4.0, 7.3.0 through 7.3.4, 7.2.0 through 7.2.6, 7.1.0 through 7.1.8, 7.0.0 through 7.0.4, and 6.7.0 through 6.7.10, arising from improper neutralisation of special elements in operating system commands. CERT-In noted that an attacker could exploit the issue by sending specially crafted TCP requests to inject commands, potentially enabling unauthorised command injection, data loss or full system compromise, and advised all organisations and individuals using FortiSIEM to apply vendor updates referenced by Fortinet (FG-IR-25-772), with the associated CVE listed as CVE-2025-64155.

4.3. CERT-In flags high-severity vulnerabilities across Atlassian products

CERT-In issued Advisory CIAD-2026-0003 on January 23, 2026, warning of multiple high-severity vulnerabilities affecting Atlassian's Bamboo Data Center and Server, Bitbucket Data Center and Server, Confluence Data Center and Server, Crowd Data Center and Server, Jira Data Center and Server, and Jira Service Management Data Center and Server. CERT-In noted that the vulnerabilities could allow remote attacks including XML External Entity injection, server-side request forgery, remote code execution, man-in-the-middle interception, cross-site scripting, and denial of service, leading to unauthorised access, data manipulation, service disruption, and potential compromise of connected systems. Organisations using impacted versions were advised to apply the relevant updates referenced in Atlassian's security bulletin dated January 20, 2026, and to prioritise remediation given the stated risk of privilege escalation and bypass of authentication mechanisms.

4.4. CERT-In warns of high-severity vulnerabilities in HPE Aruba Networking AOS

CERT-In issued Vulnerability Note CIVN-2026-0043 on January 22, 2026, flagging multiple high-severity vulnerabilities in Hewlett Packard Enterprise (HPE) Aruba Networking Aruba OS (AOS) affecting mobility conductors, controllers, wireless local area network and software-defined wide area network gateways, across several AOS 8 and AOS 10 version trains. CERT-In stated that successful exploitation could enable arbitrary code execution, command injection, arbitrary file deletion and upload, stack overflow, and denial of service, creating a high risk of system compromise and unauthorised access, with adverse impact on confidentiality, integrity and availability. The note lists multiple Common Vulnerabilities and Exposures (CVE) identifiers, including CVE-2025-37168 through CVE-2025-37179, and advises organisations to apply the appropriate vendor updates referenced in HPE's advisory.

4.5. CERT-In flags high-severity vulnerabilities in Microsoft Edge

On January 23, 2026, the Indian Computer Emergency Response Team (CERT-In) issued Vulnerability Note CIVN-2026-0044 reporting multiple HIGH severity vulnerabilities in Microsoft Edge versions prior to 144.0.3719.82. CERT-In stated that a remote attacker could exploit the flaws by persuading a victim to visit a specially crafted web page, potentially enabling arbitrary code execution, bypass of security restrictions, and elevated privileges on the targeted system. CERT-In assessed a high risk of unauthorised access to sensitive data, system compromise, and service unavailability. The note references 11 (eleven) Common Vulnerabilities and Exposures (CVE) identifiers, including CVE-2026-0899 through CVE-2026-0908 and CVE-2026-21223, and advises applying the relevant vendor fixes.

4.6. CERT-In warns of multiple HIGH vulnerabilities in Mozilla Thunderbird

CERT-In issued Vulnerability Note CIVN-2026-0045 on multiple vulnerabilities in Mozilla Thunderbird, affecting Mozilla Thunderbird ESR versions prior to 140.7 and Mozilla Thunderbird versions prior to 147. CERT-In stated that the issues could allow a remote attacker to execute arbitrary code, bypass security restrictions, or perform spoofing attacks, with a high risk of system compromise and service disruption. CERT-In noted that exploitation could occur if a victim opens a specially crafted web request and advised applying the relevant vendor updates referenced in Mozilla security advisories MFSA2026-04 and MFSA2026-05, with associated CVE identifiers including CVE-2025-14327 and CVE-2026-0877 through CVE-2026-0892.

4.7. CERT-In flags high-severity vulnerabilities in TP-Link Archer routers

CERT-In on January 20, 2026 issued Vulnerability Note CIVN-2026-0034 warning of multiple vulnerabilities in TP-Link Archer routers that could allow an attacker to perform arbitrary file deletion and trigger a denial-of-service (DoS) condition on the targeted device. The advisory applies to TP-Link Archer BE400 V1 version 1.1.0 build 20250710 rel.14914 and prior, and TP-Link Archer AXE75 v1.6 versions prior to build 20250107 and attributes the issues to improper input validation and improper handling and validation of pointer references within 802.11 wireless module processing code. CERT-In assessed a high risk of service interruption and unauthorised access with potential impacts on confidentiality, integrity and availability, and advised users to apply vendor updates, with the associated CVEs listed as CVE-2025-15035 and CVE-2025-14631.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.