01 · SEBI · RETAIL ALGORITHMIC TRADING FRAMEWORK
Retail algorithmic trading under glide path.
All AI/ML-based algorithmic trading strategies offered to retail investors require pre-approval by exchanges and SEBI. Documentation of model logic, risk parameters, backtesting, and monitoring mechanisms is mandatory.
SEBI · Retail Algorithmic Trading Framework circular · 4 February 2025
SEBI's "Safer participation of retail investors in algorithmic trading" circular (4 February 2025) introduced the Retail Algorithmic Trading Framework, with a glide path: API algo product application 31 October 2025, product registration 30 November 2025, mock session participation 3 January 2026, fully mandatory 1 April 2026. Pre-approval is the lever.
SEBI § 1
Pre-approval reference attached to every retail trade.
WARRANT · trace.actions[*].pre_approval_ref + trace.regulated_entity binds to the SEBI-registered entity.
SEBI § 2
Model documentation per strategy.
WARRANT · trace.agent_id + trace.model_id + trace.model_version, bound into a record that is independently verifiable without contacting Warrant.
SEBI § 3
Risk parameter disclosure per decision.
WARRANT · trace.actions[*].inputs.risk_parameters + per-action authorization_envelope.preconditions_met.
SEBI § 4
Backtesting evidence reference.
WARRANT · trace.backtesting_record_id (when supplied). Gap surfaced when missing.
02 · RBI · FRAMEWORK FOR RESPONSIBLE AND ETHICAL ENABLEMENT OF AI
Seven sutras for AI in regulated entities.
AI systems in regulated entities must demonstrate the seven sutras: Trust, People First, Innovation, Fairness, Accountability, Explainability, Resilience. The Framework structures 26 recommendations across six pillars (Infrastructure, Policy, Capacity, Governance, Protection, Assurance), covering bias mitigation, opacity reduction, auditability, incident reporting, and human oversight for AI in banking.
RBI · Framework for Responsible and Ethical Enablement of AI · Committee Report · 13 August 2025
RBI released the Framework for Responsible and Ethical Enablement of AI Committee Report on 13 August 2025 (FREE-AI). The seven sutras and 26 recommendations apply to AI in regulated entities. Operationalisation is ongoing; supervisory action sits under the Banking Regulation Act and the RBI Act. For the sutra-by-sutra reading, see RBI FREE-AI, read against the AI agent.
FREE-AI · 1
Bias testing per high-impact decision class.
WARRANT · trace.bias_test_record_id (when supplied). Explainability rationale captured per action.
FREE-AI · 2
Explainability for high-impact decisions.
WARRANT · trace.actions[*].rationale + authorization_envelope.justification per action.
FREE-AI · 3
Human oversight for high-risk decisions.
WARRANT · trace.actions[*].human_review_recorded + authorization_envelope.human_oversight_appropriate.
FREE-AI · 4
Audit trail reconstructable.
WARRANT · a record mapped to the obligation, independently verifiable without contacting Warrant (forever).
03 · DPDP ACT 2023
Personal data, across both regimes.
Personal data processing by AI systems in India falls within DPDP Act scope. Data fiduciaries must establish lawful bases, capture consent, implement purpose limitation, and respond to data principal rights including erasure and access.
Digital Personal Data Protection Act 2023 · MeitY
DPDP Act 2023 layers across SEBI and RBI regimes. Up to ₹250 crore per breach. Lawful basis recorded per action, purpose limitation enforced via the authorization envelope, data principal rights logged as auditable actions in the same evidence shape. Cross-border transfer disclosure and 72-hour breach notification remain in customer process today. For the section-by-section reading, see the DPDP Act 2023, read against the AI agent.
7sutras
RBI FREE-AI
Trust, People First, Innovation, Fairness, Accountability, Explainability, Resilience. 26 recommendations across six pillars.
2026-04-01
SEBI MANDATORY
Retail Algorithmic Trading Framework fully mandatory after the September 2025 extension circular glide path.
"Three regimes, one trace. Per-vertical depth no horizontal infrastructure player covers."Counsel · IN regulatory · review · 2026-04-30
04 · WHY THIS REGULATOR NOW
Which Indian regulators cover AI in fintech?
The Indian regulatory perimeter for AI in fintech tightened across three sectoral regimes between February 2025 and April 2026. SEBI Retail Algorithmic Trading Framework moved from circular to mandatory across an 18-month glide path. RBI's Framework for Responsible and Ethical Enablement of AI Committee Report formalised the seven sutras and 26 recommendations into the supervisory expectations baseline. DPDP Act 2023 delivered Schedule One penalties up to INR 250 crore per breach with the Draft DPDP Rules of January 2025 setting implementation expectations. The cross-border firm operating one AI agent now sits inside three regulators' perimeters at once.
Recent enforcement signal carries the regimes' posture. SEBI's enforcement action against ASBA-related violations in 2024 (multiple penalties, INR 1 lakh to INR 1 crore range) established that algorithmic-trading documentation gaps are pursued at the firm level, not the model level. RBI's supervisory action against Paytm Payments Bank (31 January 2024 directive, business restrictions and subsequent fines) referenced data-handling and IT governance failures that read directly into FREE-AI's six-pillar baseline. The Data Protection Board of India is constituting under DPDP § 18; counsel reviewing this page should expect the first DPDP enforcement orders in 2026 Q3 once the Board reaches operational quorum.
Prosecutorial interest is moving across the three regulators in parallel. SEBI is using the pre-approval gate as the structural lever; an unregistered AI/ML strategy offered to retail investors is per-se a violation regardless of outcome. RBI's supervisory cycle is the lever for FREE-AI; opaque AI-driven customer decisioning is treated as an operational-risk finding read with the seven sutras. DPDP enforcement will follow the EU GDPR template adapted to Indian market conditions, with cross-border data flows and consent capture as the primary enforcement vectors.
05 · MAPPING · THREE REGIMES
Per-regime field map.
AI/ML-based algorithmic trading strategies offered to retail investors require pre-approval by the relevant Stock Exchanges and SEBI. Brokers shall ensure that such strategies are registered, tested, and monitored continuously. Risk parameters, backtesting evidence, and audit trails are mandatory at registration and shall be available on supervisor request.
SEBI · Retail Algorithmic Trading Framework circular · 4 February 2025 · paraphrased
Three mini-mappings below. SEBI Retail Algo, RBI FREE-AI, DPDP Act 2023. Each row names the obligation and the Warrant evidence field that satisfies it.
5.1 · SEBI Retail Algorithmic Trading Framework
SEBI § 1
Pre-approval reference attached to every retail trade.
WARRANT · trace.actions[*].pre_approval_ref + trace.regulated_entity binds to the SEBI-registered entity.
SEBI § 2
Model documentation per strategy.
WARRANT · trace.agent_id + trace.model_id + trace.model_version, bound into a record that is independently verifiable without contacting Warrant.
SEBI § 3
Risk parameter disclosure per decision.
WARRANT · trace.actions[*].inputs.risk_parameters + per-action authorization_envelope.preconditions_met.
SEBI § 4
Backtesting evidence reference at registration and on request.
WARRANT · trace.backtesting_record_id (when supplied). Gap surfaced when missing.
SEBI § 5
Continuous monitoring of registered strategies.
WARRANT · trace.model_governance.psi (when supplied) + per-trace authorization envelope. Monitoring outcome attached at action time.
5.2 · RBI Framework for Responsible and Ethical Enablement of AI
FREE-AI · 1
Trust · system reliability and resilience evidenced.
WARRANT · a record mapped to the obligation, independently verifiable without contacting Warrant (forever).
FREE-AI · 2
People First · vulnerable customer and accessibility considerations.
WARRANT · trace.actions[*].inputs.vulnerability_flags (when supplied) + per-action authorization assessment.
FREE-AI · 4
Fairness · bias testing per high-impact decision class.
WARRANT · trace.bias_test_record_id (when supplied). Explainability rationale captured per action.
FREE-AI · 5
Accountability · clear owner of every AI-driven decision.
WARRANT · trace.signed_off_by names the accountable officer for the decision, carried in a record mapped to the obligation.
FREE-AI · 6
Explainability · rationale for high-impact decisions.
WARRANT · trace.actions[*].rationale + authorization_envelope.justification per action.
FREE-AI · 7
Resilience · audit trail reconstructable on supervisor request.
WARRANT · trace.actions[*] (per-action subject, inputs, outputs, ts) bound into a record independently verifiable without contacting Warrant.
5.3 · DPDP Act 2023
DPDP § 4
Lawful basis · consent or specified legitimate use.
WARRANT · trace.actions[*].inputs.consent_ref (when supplied) + per-action authorization_envelope.within_purpose.
DPDP § 6
Notice and consent capture.
WARRANT · trace.consent_capture_ref (when supplied) bound to data principal id; gap surfaced when missing.
DPDP § 8(1)
Purpose limitation enforced.
WARRANT · authorization_envelope.within_purpose flags out-of-purpose access.
DPDP § 8(6)
Personal data breach notification to Board and affected principals.
WARRANT · Incident-mode trace ingestion ships v0.5; today, breach-pattern traces produce a per-obligation evidence record by Warrant, independently verifiable without contacting Warrant. Sectoral overrides (RBI six-hour cyber, CERT-In six-hour) carry separately.
DPDP § 11
Data principal right to access, correction, erasure.
WARRANT · trace.actions[*] addressable by data principal id; right-of-access logged as a separate auditable action in the same evidence shape.
DPDP § 16
Cross-border transfer subject to government notification.
WARRANT · trace.actions[*].inputs.cross_border_flag (when supplied) + authorization_envelope check; sectoral residency requirements (RBI payment-system, SEBI market intermediary) carry independently.
06 · FAQ
Questions a CCO and DPO ask first.
Does DPDP Act 2023 permit cross-border data flows for AI processing?
DPDP § 16 permits cross-border transfer of personal data subject to restrictions notified by the Central Government. The default position is open transfer except to specifically blacklisted countries. Sectoral overrides apply: RBI's data localisation directive (April 2018, payment-system operators) and SEBI's data-residency expectations for market intermediaries are stricter and operate independently of DPDP. Data fiduciaries operating AI agents that process Indian data principal information should expect to maintain trace plus bureau report retention inside India for SEBI- and RBI-supervised entities.
When does SEBI Retail Algorithmic Trading Framework apply to my system?
The SEBI circular of 4 February 2025 with September 2025 extension applies fully mandatory from 1 April 2026 to all AI/ML-based algorithmic trading strategies offered to retail investors via API or any other means. Pre-approval by the relevant exchange and SEBI is the gating event. Documentation of model logic, risk parameters, backtesting evidence, and monitoring mechanisms is required at registration and on supervisor request thereafter.
How do RBI FREE-AI recommendations bind a regulated entity in practice?
FREE-AI is a Committee Report released 13 August 2025, not a regulation in the strict sense. Operationalisation flows through RBI supervisory expectations under the Banking Regulation Act and the RBI Act. Regulated entities (banks, NBFCs, payment system operators, AIFs) that deploy AI in customer-facing decisioning are expected to demonstrate the seven sutras and the 26 recommendations as a baseline. Supervisor referrals follow the same lever as cybersecurity and operational risk findings.
How do i generate India evidence if my agent runs on a non-India LLM provider?
The location of the model vendor is not material under SEBI, RBI, or DPDP. What is material is whether the regulated entity (the SEBI-registered intermediary, the RBI-regulated entity, the data fiduciary) can produce per-decision evidence and whether personal data of Indian data principals is processed in compliance with DPDP. Wrap each tool call with the Warrant trace shape and POST the JSON to /attest. Warrant produces a per-obligation evidence record mapped to all three regimes from a single trace, independently verifiable without contacting Warrant.
What is the maximum financial penalty under DPDP Act 2023?
DPDP Act Schedule One sets penalties up to INR 250 crore (approximately USD 30 million at 2026 rates) per breach, with the upper end reserved for failure to take reasonable security safeguards. Sectoral overrides may carry separate penalties; SEBI and RBI can pursue parallel proceedings under their own statutes. The Data Protection Board of India (constituted under DPDP § 18) is the adjudicating authority.
Is there a 72-hour breach notification under DPDP analogous to NYDFS § 500.17?
DPDP § 8(6) requires the data fiduciary to notify the Data Protection Board and each affected data principal in the event of a personal data breach in such form and manner as may be prescribed. The implementing DPDP Rules 2025 were notified by MeitY on 13 November 2025; Rule 7 prescribes first intimation 'without delay' followed by a detailed report within 72 hours. Sectoral overrides apply: RBI cyber-incident notification runs to six hours for material incidents; CERT-In incident notification under the Information Technology Act runs to six hours for the prescribed event categories.
07 · READ THE SOURCE
Primary citations.
SEBI Retail Algorithmic Trading Framework circular (4 February 2025) at sebi.gov.in. SEBI extension circular (September 2025): timeline glide path to 1 Apr 2026. RBI Framework for Responsible and Ethical Enablement of AI Committee Report (full PDF, 13 August 2025) at rbidocs.rbi.org.in. DPDP Act 2023 at meity.gov.in.
W
Sample India evidence package · RBI NBFC-MFI lending agent · CIBIL bureau reportINDEPENDENTLY VERIFIABLE · ID c30707ea704c6b6d
→ india-fintech.pdf
WARRANT