Sometimes complexity is not loud, but comes with quiet paperwork. For instance, these might include a list that isn't updated, a trade that isn't flagged, or a tiny permission that nobody revisits because the quarter is closing and everyone is tired.
In January 2026, reporting based on a confidential SEBI (Securities and Exchange Board of India) show-cause notice described alleged insider trading breaches tied to Yes Bank’s 2022 share sale. It named executives linked to EY and PwC, among others.
Of course, the headline is “scandal,” but the more interesting part is the mechanism underneath it. It includes the restricted list, which serves as a guardrail meant to prevent exactly this kind of spill.
Background and What Restricted Lists Actually Do
A restricted list is an internal “do not trade” map. It exists because insider trading rules do not care whether someone meant to misuse information.
Under SEBI’s framework, an “insider” includes a connected person or anyone in possession of, or with access to, unpublished price-sensitive information, and trading while in possession is prohibited.
So, once you accept that standard, the list cannot be a static spreadsheet that gets refreshed when someone remembers. It has to reflect how mandates move across teams, service lines, and affiliate entities. Also, it must move fast enough to keep pace with normal personal trading behaviour.
|
Control Tool |
What It Is Trying To Do |
The Common Weak Spot |
|
Restricted list |
Prevent staff trading in mandate-connected securities |
Coverage gaps when advisory work is not mapped end-to-end |
|
Trading window closure |
Pause trading when UPSI (Unpublished Price Sensitive Information) is likely in play |
Late calls on who can “reasonably be expected” to hold UPSI |
|
Structured digital database (SDD) |
Leave an audit trail of who received UPSI and when |
Incomplete logging of quick forwards and external recipients |
The Allegations That Lit the Fuse
As described in the reporting, SEBI’s notice relates to trading activity ahead of Yes Bank’s July 2022 share offering, where Carlyle and Advent acquired a combined 10% stake.
The alleged issue was not only that people traded, but also that information flows. Moreover, confidentiality controls within professional firms did not hold in a way that would have prevented it.
The same report says the following:
- Advent engaged Ernst & Young (EY) for tax advisory work and feedback on Yes Bank’s management.
- EY Merchant Banking Services handled the valuation.
- Carlyle and Advent engaged PwC for tax planning and due diligence around the same period.
It is evident that there are many touchpoints. In this case, the “restricted list” part is the sharp edge. The notice reportedly said EY failed to place Yes Bank on a sufficiently broad restricted list. It means some staff with potential access were not barred from trading.
Also, it reportedly said PwC lacked a restricted stock list for advisory and consulting clients. Moreover, its internal disclosure system failed to report some trades. Basically, they are design and coverage failures. They might be problematic in the long run.
|
What The Gap Looks Like |
EY (As Alleged In Reporting) |
PwC (As Alleged In Reporting) |
|
List coverage |
Yes Bank was not placed on a sufficiently broad restricted list |
No restricted stock list for advisory and consulting clients |
|
Policy and reporting |
Internal trading policy is alleged not to comply with regulations |
The disclosure system allegedly let some trades go unreported |
|
Practical outcome |
Some potentially exposed staff were not blocked |
Some trades may have slipped past internal visibility |
Where Does the Back Door Show Up?
In general, a restricted list works only if it mirrors the real perimeter of access, not the org chart. Deal work splinters into valuation, tax, diligence, and “just a quick review,” and each slice is treated as small, harmless, and almost administrative.
However, the slices add up, and you end up with a wider circle of partial knowledge. Also, the list often chases the work instead of leading it. This is also where corporate lawyers in India gets pulled into arguments about confidentiality, privilege, and whether “limited access” is still access in practice.
SEBI’s own guidance on structured digital databases quietly hints at the same structural problem. It means that the obligation follows the information. The FAQs recognise that intermediaries and fiduciaries who receive UPSI should maintain their own records of what was shared and with whom, and not only the listed company should keep the trail.
So the back door is not usually a secret tunnel. It is a plain door that was never wired into logging and monitoring. This is because the engagement was treated as advisory rather than sensitive. Hence, it was not tracked.
Practical Takeaways for Compliance Teams
Make sure to build restricted lists from entity graphs, not from engagement titles. Also, update them as soon as intake happens, not when a meeting finally “confirms” a mandate.
Moreover, treat advisory work as potentially sensitive by default when it touches a listed issuer, and require SDD-style logging of who received what and when. Also, make sure to tighten personal trade reporting systems so “unreported” is not a state that can persist. This is because delay is exactly how back doors stay open long enough to be used.
Whether SEBI’s allegations are upheld or not, the design lesson stays. Basically, restricted lists are about coverage. If the list is narrow, the door stays open. If the list is broad but not operational, people go around it because friction hurts.
Hence, you have to map access honestly and log it automatically. Also, accept a bit of friction as the price of being a gatekeeper in a market is too high to miss out.
Share:
Share on
×