Menu

Impact of SEBI’s API Guidelines on Algo Trading

In: Algorithmic Trading

SEBI’s 2025 framework—and NSE’s implementation standards—introduce static-IP whitelisting for API access, OAuth + 2FA authentication, unique Exchange-issued Algo IDs for every automated order, audit trails for 5 years, and an initial cap of 10 orders per second (OPS) per exchange; algos above this cap must be registered with the exchange. The go-live was extended to 1 Oct 2025. (Moneycontrol, The Economic Times)

Why this matters

If you automate trades in India—whether you’re a retail client using a broker API, a fintech vendor selling algos, or a broker hosting them—2025 is a regulatory reset. The new regime formalises API access, strengthens investor protection, and standardises auditability across brokers and algos. (Securities and Exchange Board of India)

What exactly changed in 2025

  • API access = Static IPs only (no open/public endpoints). Brokers must whitelist client/vendor static IPs; sessions auto-logout daily.
  • Security hardening: OAuth-based logins + 2FA are mandatory for IBT/STWT/Client/Vendor APIs, aligned to SEBI’s cyber-security circulars.
  • OPS cap: Initial 10 OPS per exchange/segment; brokers can set stricter client-level limits.
  • Registration threshold: If you want to exceed the OPS cap, your algo must be registered with the exchange (via your broker).
  • Mandatory tagging: Every algo order (below or above the cap) carries an Exchange-provided Algo ID for traceability.
  • Five-year audit trail: Brokers must retain detailed order/event logs for at least 5 years.
  • Scope: DMA continues under its own rules; this retail-algo framework does not apply to DMA.
  • Timeline: SEBI circular issued 4 Feb 2025; NSE standards 5 May 2025; detailed modalities 22 Jul 2025; effective date extended to 1 Oct 2025. (Securities and Exchange Board of India, Avantis CDN Storage, Moneycontrol)

Who is affected (at a glance)

StakeholderWhat you must do
Retail API usersTrade only from whitelisted static IPs; respect broker OPS limits; use 2FA; ensure orders carry Algo IDs.
Algo vendors (ASP)Empanel with exchanges; register algos to obtain unique Algo IDs; host safely; integrate OAuth/2FA; agree technical/commercial terms with brokers.
Stock brokersEnforce static IP, OAuth/2FA, OPS throttling, order tagging; maintain 5-year audit trails; file registrations/updates with exchanges; kill rogue algos if needed.

API compliance checklist (India-specific)

Setup & access

  • Provide primary (and optional secondary) static IPs; updates limited to once per calendar week (exceptions allowed by broker). Static IPs may be shared only within a SEBI-defined family unit with proper authorisation.
  • Multiple API keys are allowed; each key must map to the client’s whitelisted IPs.

Security & authentication

  • Use OAuth + 2FA for every session; disable open APIs; enforce password lifecycle controls.
  • Force daily API logout before next trading day.

Algo identification & logging

  • Tag every order with an exchange-issued Algo ID (generic ID below cap; strategy-specific ID once registered). Retain logs ≥5 years.

OPS limits, registration & how to compute your throughput

Rule of thumb:
If your peak order flow eclipses 10 OPS per exchange/segment, register the algo via your broker before going live. Brokers may set a lower client-level ceiling.

OPS (orders/second) = number of new/modify/cancel requests accepted by broker in any 1-second window per exchange/segment.

Example
You run three strategies on NSE-FO, each bursts at 4 OPS → peak = 12 OPS on the same segment → Registration required and Exchange Algo ID to be used for tagging. If you’re at 8–10 OPS, implement back-pressure to avoid rejections when spikes occur.

Broker rejections: Orders breaching the set OPS limit must be rejected; design your execution layer to rate-limit and retry with jitter.

Operating model patterns that fit the rules

  • Static-IP router: Run a small gateway behind your static IP to fan-out to multiple strategy processes; centralise rate-limiting and Algo-ID tagging before hitting the broker.
  • Idempotent order tokens: Ensure safe retries when OPS throttles kick in.
  • Audit-first logging: Persist request/response payloads, timestamps, user IDs, Algo IDs for ≥5 years; encrypt at rest; test retrieval.
  • Vendor hosting: If using an empanelled vendor’s infrastructure, confirm their exchange empanelment and Algo IDs; your broker must notify exchanges of the arrangement.

Business impact: costs, pricing & timelines

  • Costs: Expect charges for API services and algo registrations in addition to brokerage. Vendors face empanelment/compliance costs; brokers bear monitoring and storage costs.
  • Pricing response: Some brokers have adjusted API fee structures as retail-algo norms firmed up (e.g., reported reductions aligning with the new framework). (Economic Times)
  • When do I need to comply? SEBI’s circular (4 Feb 2025) was followed by NSE standards in May and detailed modalities in July; the effective date was extended to 1 Oct 2025 to ensure smooth rollout. Track exchange circulars for any further tweaks. (Securities and Exchange Board of India, Avantis CDN Storage, Moneycontrol)

Risk controls: what will get you flagged

  • Open networks (no static IP), missing 2FA, or non-OAuth flows.
  • Un-tagged orders or mismatched Algo IDs across modify/cancel paths.
  • Bursty order floods without throttling.
  • Unregistered algos crossing the OPS threshold or using restricted order types the exchange specifies from time to time.

“Does this apply to DMA/HFT?”

Retail-algo API rules do not apply to DMA (Direct Market Access). DMA continues to be governed by its existing framework; institutions and prop desks should track separate SORM/DMA circulars.

Action plan (90-day rollout)

  1. Map architecture: Decide whether you’ll register (if you expect >10 OPS) or operate below the cap with a generic Algo ID.
  2. Provision static IPs: Get primary/secondary IPs; arrange change processes (≤1/week).
  3. Harden auth: Implement OAuth + 2FA; rotate credentials; enforce session expiry.
  4. Build rate-limiting: Cap OPS at broker-specified limits; add exponential backoff.
  5. Tag everything: Integrate Exchange Algo ID tagging in new/modify/cancel.
  6. Logging & storage: Design 5-year audit trail; test retrieval and time-sync.
  7. Contracts & empanelment: If using third-party algos, ensure exchange empanelment and broker disclosures are in place.
  8. Dress rehearsal: Run in mock/sandbox; validate rejection paths and operational cutovers per exchange circulars. (NSE India)

FAQs

Do I need a static IP if I use cloud?
Yes. Map a static public IP on your cloud gateway; get it whitelisted by the broker.

Below 10 OPS—do I still need registration?
You don’t need registration to operate below the cap, but all orders must still be Algo-ID tagged (the exchange provides a generic ID for this purpose).

What logs should I keep?
Full audit trail for IBT/STWT/API orders—user IDs, timestamps, payloads, Algo IDs—for at least 5 years.

Can family accounts share one static IP?
Allowed with conditions; only within a SEBI-defined family and with proper written/2FA-validated request to the broker.

What if I breach OPS limits accidentally?
Brokers must reject excess orders. Implement throttling and retries with jitter to minimise slippage.

Key sources (for compliance teams)

  • SEBI Circular (4 Feb 2025): Safer participation of retail investors in Algorithmic trading. (Securities and Exchange Board of India)
  • NSE Circular (5 May 2025): Implementation Standards—API access, OPS caps, OAuth/2FA, Algo-ID tagging, audit trails.
  • NSE Detailed Modalities (22 Jul 2025) & corrigendum (24 Jul 2025)—operational clarifications. (Avantis CDN Storage, NSE India)
  • Effective date extension to 1 Oct 2025 (news coverage citing SEBI communication). (Moneycontrol, The Economic Times)

Leave a Reply

Your email address will not be published. Required fields are marked *

Trusted by discerning investors, with world class excellence and an innovative edge