In India, algorithmic (API) trading is now formally allowed for retail—under strict safeguards. SEBI’s 4 Feb 2025 circular created a “track-and-trace” framework: every algo must be exchange-approved (or generically tagged), orders must carry a unique Algo ID, providers must be empanelled, and brokers must enforce static-IP, OAuth/2FA, audit trails, and kill-switch controls. (Securities and Exchange Board of India, Reuters)
Why this matters
If you use APIs to trade—or plan to buy algorithms from third-party vendors—your setup must comply with SEBI and exchange rules. Non-compliance can mean blocked orders, penalties, or loss of access. This guide summarizes what to do, step-by-step, with Indian-specific examples and terms.
Key rules at a glance (2025)
- SEBI framework (4 Feb 2025):
- Brokers can offer algo trading to retail only after exchange permission for each algorithm (or generic tagging below a threshold).
- Unique Algo IDs must tag all algo orders for traceability.
- Algo providers must empanel with exchanges.
- Client-built algos need registration if they cross the order-per-second (OPS) threshold. (Securities and Exchange Board of India, Reuters)
- NSE Implementation Standards (5 May 2025):
- Static IP whitelisting is mandatory for API access (client/vendor/broker, as applicable).
- Threshold OPS = 10 per exchange/segment.
- Below-threshold clients don’t register their algo with the broker system; however, exchanges tag such API orders with a generic Algo ID for audit.
- Daily forced logout of API sessions; OAuth/2FA only; no open APIs; 5-year audit trail; exchanges can kill rogue algos.
- Ongoing tagging and validations: NSE is adding NNF-ID ↔ Algo-ID validations to ensure order lineage from front ends and APIs. (NSE India)
- DMA vs Retail APIs: DMA/CTCL remains primarily for institutional clients; retail uses broker-exposed APIs under the new standards. (NSE India)
- Regulatory lineage: These build on SEBI’s 2012 Broad Guidelines on Algorithmic Trading, plus subsequent strengthening of audits and risk checks. (Securities and Exchange Board of India)
Who is allowed to do what?
1) Brokers (Trading Members)
- Offer API access after meeting exchange standards; maintain OAuth/2FA; keep 5-year audit trails; enforce TOPS (10 OPS) and kill-switches; ensure only whitelisted static IPs can hit APIs.
2) Empanelled Algo Providers
- Must empanel with each exchange and register every offered algo to obtain a unique exchange Algo ID (re-approval on logic changes).
3) Retail clients building their own algos
- Can use broker APIs from a static IP.
- If they exceed 10 OPS, they must register the algo via the broker; orders carry a specific Algo ID.
- If they stay ≤10 OPS, they don’t file a full algo registration but their API orders are still tagged with a generic exchange-issued ID for traceability.
Step-by-step: Getting compliant (Retail API user)
- Choose a broker that supports retail APIs under the 2025 standards.
- Provide your static IP to the broker (primary + optional secondary). Changes are limited (typically once a week).
- Authenticate via OAuth + 2FA; ensure your code renews sessions as required; expect daily auto-logout before the next trading day.
- Control your order rate:
- Stay ≤10 OPS per exchange/segment to avoid full registration—your orders will still be generic-tagged.
- If you will exceed 10 OPS, register the algo via your broker for each exchange you trade; get a specific Algo ID.
- Enable risk checks: price/quantity bands, net position/MTM caps, and a kill-switch. (These flow from NSE’s consolidated master circular references for IBT/STWT/NNF.) (NSE India)
- Maintain logs: Keep input signals, parameters, and order/response logs—brokers must retain an audit trail for 5 years; align your storage accordingly.
Step-by-step: Offering algos to clients (Algo providers, India-focused)
- Empanel with exchanges where your algos will trade.
- Register each algo; obtain a unique Algo ID (re-register on logic changes). Share these IDs with member brokers who distribute your algos.
- Integrate securely: use vendor-specific API keys, whitelisted static IPs, and OAuth/2FA; open/public APIs are disallowed.
- Disclose features and risks to brokers/clients; align advertisements with SEBI’s ad code (if you are also an IA/RIA).
- Host within required environments (broker/vendor servers as specified) and support broker audits.
Controls you cannot skip
- Static IP whitelisting (client/vendor/broker as applicable).
- OAuth + 2FA for all API access; no open APIs.
- OPS throttling (≤10 by default) with broker-level enforcement.
- Unique Algo ID tagging on every order (specific or generic).
- Daily forced logout of sessions.
- 5-year audit trail, with ability to identify the actual end user.
- Exchange kill-switch authority for rogue algos.
What’s new in 2025? Beyond SEBI’s circular, NSE has begun NNF-ID ↔ Algo-ID validation so front-end lineage (CTCL/NNF) and API lineage map cleanly—important for surveillance and investigations. (NSE India)
DMA, co-lo and retail APIs—what’s the difference?
- DMA/CTCL (primarily institutional): Direct access through a member’s infrastructure; historically used by HFT/prop desks and funds. Retail typically does not access DMA. (NSE India)
- Retail APIs (2025 framework): Broker-exposed APIs with static IP, 2FA, OPS caps, and Algo-ID tagging to enable broader retail participation—safely. (Securities and Exchange Board of India)
Context tip: These reforms also follow years of regulatory focus on fairness and access around co-location and ultra-low latency practices at exchanges. (Reuters)
Compliance checklist (print-friendly)
| Area | What to do | Evidence |
| Access | Share static IP(s); map to your API key | Broker confirmation/whitelist log |
| Authentication | OAuth + 2FA only; expect daily logout | Login flows; session expiry logs |
| Order Rate | Keep ≤10 OPS (or register algo if >10) | Throttle config; broker limit set |
| Tagging | Ensure Algo ID on every order | Order/trade reports with IDs |
| Records | Maintain 5-year audit trail | Centralized log archive |
| Front-end lineage | Verify NNF-ID ↔ Algo-ID mapping | NSE validation pass logs (NSE India) |
| Controls | Price bands, position/MTM caps, kill-switch | RMS policy; test evidence (NSE India) |
Design note (for your infographic):
Use Endovia palette: #001344 (bars/lines), #506082 (labels), #a0acc1 (axes/borders), #f0f9ff (background), #bc9673 (callouts), #ffd7ab (callout text).
FAQs
Do I need to register my algo if I only place a few orders?
If you exceed 10 OPS, yes—register via your broker and get a specific Algo ID. If you stay ≤10 OPS, you don’t file a full registration via the broker system; however, exchanges will still tag such API orders with a generic Algo ID for audit.
Can I use any third-party platform that connects to my broker?
Only if the algo provider is empanelled and integrates via unique vendor API keys and whitelisted static IPs. Open/public APIs are not permitted.
Is DMA available to me as a retail client?
DMA/CTCL remains an institutional facility; retail uses broker APIs under the 2025 standards. (NSE India)
Will these rules change again?
Exchanges are iterating (e.g., July 2025 NNF-ID/Algo-ID validations). Always check your broker’s latest circulars and exchange updates. (NSE India)
Bottom line for Indian investors
SEBI has opened the door to retail algorithmic trading—but only with tight traceability and risk controls. Treat compliance as “non-negotiable plumbing”: static IPs, 2FA, throttles, tagging, and logs. With the right setup, you can automate execution while staying on the right side of the rulebook. (Securities and Exchange Board of India)
Sources
SEBI circular (4 Feb 2025); NSE Implementation Standards (5 May 2025); NSE NNF-ID/Algo-ID validation (24 Jul 2025); NSE DMA guidance; SEBI 2012 Broad Guidelines. (Securities and Exchange Board of India, NSE India)