SEBI Compliance · 2026 Edition

SEBI WhatsApp Rules for RIAs and RAs: 2026 Compliance

Verified social handles. The new master circular. The education-versus-advice line that is putting paid tip groups on the front page. A practical playbook for the roughly 1,400 SEBI-registered RIAs and RAs in India — and for the finfluencers operating beside them.

Published 1 June 2026 11 min readIndia · Capital markets
SEBI WhatsApp compliance for RIAs, RAs and finfluencers — RichAutomate

Three things happened in fifteen months that quietly rewrote how Indian Investment Advisers, Research Analysts and finfluencers can legally use WhatsApp. SEBI published a verified-social-handle circular in March 2025 that forces your advisory persona to bind to the same phone number on file with the regulator. It then dropped a consolidated master circular for IAs and a parallel one for RAs on 17 February 2026, codifying audit-trail and compliance-audit expectations for every operational thing you do — including digital messaging. And in parallel, the crackdown on paid WhatsApp tip groups crossed from one-off enforcement orders into a steady drumbeat of disgorgement, market bans and crore-scale penalties. If you advise on, research, or distribute investment content over WhatsApp in 2026, this is the rulebook you needed yesterday.

Why now: the regulatory picture in mid-2026

SEBI's posture toward digital communication used to be implicit — the regulations were channel-agnostic, the enforcement was reactive. That changed when the regulator realised the bulk of Indian retail capital-markets engagement now flows through three apps: WhatsApp, Telegram and YouTube. The 2024 SEBI–MIB joint framework on unregistered finfluencers was the first overt acknowledgement that the channel matters. The March 2025 verified-handle circular operationalised it for registered intermediaries. The February 2026 master circulars stitch the operational expectations into a single reference each for the IA and RA functions.

For roughly 1,400 SEBI-registered Investment Advisers and a comparable population of Research Analysts, this is a window where the rules of the road are finally legible. For finfluencers without registration, it is also a window where the boundary — and the enforcement appetite — is clearer than at any prior point. We have spent the last quarter helping registered advisory tenants on RichAutomate align their WhatsApp Business Account setup with this new posture, and this is the synthesis.

The March 2025 verified social handle rule

What it actually says

The 22 March 2025 SEBI circular requires all registered intermediaries — IAs, RAs, stockbrokers, AMCs, AIFs, mutual fund distributors registered with associations — to use only those social media accounts whose registered phone/email matches what SEBI has on file for the entity. The implementation is via a binding step on the SEBI Intermediary (SI) Portal: you log in, you confirm the social handles and the WhatsApp Business phone number that represent your registered advisory persona, and SEBI thereafter treats unverified handles claiming to be you as impersonators.

What it means for your WhatsApp setup

The WhatsApp Business number you use for client communication must be the same number on file with SEBI under your registration. If you registered with your personal mobile number and now run advisory via a separate business number, you must either (a) update the SEBI record to the business number, or (b) move advisory communications back to the registered number. We see roughly 60% of new registrations on RichAutomate hit this exact mismatch during onboarding — it is fixable, but it has to be fixed before advisory traffic flows. Our guided WhatsApp Business Account setup includes a SEBI-number-alignment check.

Why this matters beyond compliance

Impersonation is the dominant attack vector against high-profile RIAs in 2026. A verified handle is your regulatory shield and your trust signal when a prospect Googles you and finds your real WhatsApp number versus the three lookalike accounts trying to push penny-stock tips under your name.

The February 2026 master circulars — what changed

On 17 February 2026 SEBI issued a consolidated master circular for Investment Advisers and a separate consolidated master circular for Research Analysts. These are not new rules so much as new structure: every operational direction issued under the IA Regulations 2013 and RA Regulations 2014 over the prior decade is now in one place. The operationally interesting deltas:

AreaPre-Feb 2026Post-Feb 2026 master circular
Compliance audit auditorChartered Accountant or Company Secretary in practiceCost Accountant in practice now also accepted (alongside CA / CS)
Audit periodicityHalf-yearly, deadlines spread across notificationsHalf-yearly, codified — H1 audit submitted within 6 months of period-end, H2 within 6 months
Digital-comms audit trailImplicit under "books and records"Explicit — covers messaging apps, requires retrievable timestamped records
Risk profiling refreshMandatory at onboarding, periodically thereafterPeriodicity clarified — minimum annually for active advisory clients
Fee structure transparencyDisclosed in agreementDisclosed in agreement and on the registered handle/website with the exact slab

The cost-accountant addition matters more than it sounds. The bottleneck for many small-shop RIAs was finding a CA willing to do a small compliance audit at a reasonable fee. Opening the pool to ICAI-Cost relieves that pressure. The audit-trail clarification matters more still: it means any inspection can now legitimately ask "show us your WhatsApp messages from this period, with timestamps and recipients" — and you must be able to produce them.

Education versus advice — the crackdown line

The single most important sentence in this entire piece: the moment a piece of content recommends a specific buy, sell, hold, target price or stop-loss to a specific person or closed group, it is investment advice. Everything else — explainers, market commentary, historical analysis, generic frameworks — is investor education. Education does not require SEBI registration. Advice does.

Since 2023, SEBI orders against paid WhatsApp/Telegram tips groups have rested on exactly this distinction. The operator argues "I am running an education community". SEBI examines the message history, finds explicit buy-X-at-Y-target-Z messages, and the defence collapses. Disgorgement, market bans and penalties follow.

The four signals SEBI looks for in tips-group cases

  1. Specific scrip/contract recommendations with entry/target/stop-loss
  2. Paid access — subscription, joining fee, or revenue share
  3. Closed-group distribution to identifiable subscribers
  4. Absence of valid IA/RA registration covering the activity

Hit all four and the enforcement outcome is essentially predictable. Registered IAs and RAs operate on the legal side of (1) and (2) precisely because (4) is in place.

RIA registration and WhatsApp distribution — the lawful pattern

Onboarding before personalised content

A SEBI-registered Investment Adviser can communicate personalised advice over WhatsApp, but only to clients with whom (a) a written advisory agreement is in place, (b) a documented risk profile has been completed, and (c) suitability of the recommendation to that risk profile is on file. The WhatsApp message itself is fine; the file behind it is what survives inspection. Our WhatsApp client-onboarding KYC workflow handles the agreement, risk profile and consent capture inside the same flow that brings the client onto your WhatsApp.

Segregation of marketing and advice

The IA Regulations require functional segregation between distribution and advisory activities. In practice this means your "general market update" Broadcast and your "personalised recommendation for client X" message should be different surfaces, with different audiences, ideally on different flows. RichAutomate tenants typically configure two flows: an opt-in education Broadcast and a per-client advisory channel, with the latter gated by an internal CRM check that the client is onboarded and risk-profiled.

Fee transparency on the registered handle

The Feb-2026 master circular wants your fee slab visible — not buried in an agreement PDF. A pinned message on your WhatsApp Business profile linking to a public fee-disclosure page is the cleanest pattern.

Research Analyst WhatsApp distribution — what is permitted

A registered RA's role is to publish research; distribution over WhatsApp is in scope provided the published report's mandated disclosures travel with the message. The pattern that works:

  1. Publish the full research note on your registered website with the RA disclosures block (analyst certification, conflicts of interest, holdings, compensation source).
  2. Distribute on WhatsApp as a short headline + link to the full note. The WhatsApp message itself carries a compressed disclosure footer.
  3. If the WhatsApp message states a price/target, include the as-of timestamp and link to the source report so the recipient can see the original context.

What is not permitted: an RA pushing a "buy now, target +12%" message into a WhatsApp group without the corresponding published note, without the disclosures, or to recipients who were promised personalised follow-up. The first crosses RA distribution norms; the third crosses into IA territory.

Finfluencers and the 2024 framework

For creators without SEBI registration who publish investment content, the 2024 SEBI–Ministry of Information and Broadcasting framework remains the operative reference. The principle is straightforward: you can educate, but you cannot advise; you cannot run paid tip groups; and you cannot enter financial-incentive arrangements with SEBI-registered entities that, in substance, transfer your unregistered activity onto their registered shoulders.

Where WhatsApp specifically comes in: a public-broadcast WhatsApp Channel for educational content is well within the line. A closed WhatsApp Group with paid access is squarely on the wrong side. The audit trail SEBI examines if it ever investigates is the same audit trail any tenant on RichAutomate generates by default — make sure your operating reality matches the educational posture you publicly claim.

Common high-risk pattern to avoid: A finfluencer "partners" with a registered IA, drives their audience into a paid WhatsApp group, the IA notionally signs off on the advice, and revenue is split. SEBI has, in multiple orders, looked through this structure when the substance is unregistered activity, with the registration acting as a fig leaf. The IA loses registration; the finfluencer faces penalties.

Audit trail — what an inspection actually asks for

Based on the patterns visible in published SEBI orders, a digital-comms inspection typically requests the following for a defined period:

  • Complete export of WhatsApp Business messages for the entity's registered number, with timestamps and recipient phone numbers (hashed is acceptable; resolvable on request).
  • Mapping of recipients to the client master — i.e. for any personalised-advice message, the corresponding agreement, risk profile and suitability assessment must be retrievable.
  • Marketing-message logs — every Broadcast or template message sent for marketing purposes, with the corresponding opt-in record and the template content.
  • Disclosure-block presence in every research distribution message.
  • For tenants using a platform like RichAutomate: a vendor letter or DPA confirming the messaging records are held on your behalf, with the retention duration and export commitment.

A tenant on our platform satisfies all five out of the box because every message — inbound and outbound — is stored against the tenant ID with a five-year minimum retention by default, exportable as a single CSV/JSON bundle keyed to your registration. For a deep dive on how the platform handles the broader Indian regulatory stack, see our India regulation pillar and the DPDP Act compliance guide.

DPDP Act overlap — do not ignore the data side

Every recipient on your WhatsApp list is a Data Principal under the Digital Personal Data Protection Act 2023 (with the draft Rules notified in November 2024). The five fast ways to a DPDP notice while running an advisory WhatsApp:

  1. Bundled consent — opting clients into marketing without a separate, explicit, withdrawable opt-in alongside the advisory consent.
  2. Indefinite retention with no defined purpose-limited deletion schedule.
  3. Unverifiable consent for minors — Data Principals under 18 require verifiable parental consent for personal-data processing.
  4. Cross-border transfer without satisfying the notified-country list (relevant if your platform vendor is offshore).
  5. No Grievance Officer published, no DPO appointed for significant data fiduciaries.

Tools that help: our DPDP Privacy Policy Generator and the DPDP Penalty Calculator. Tenants on RichAutomate get tenant-scoped retention, one-tap data-deletion fulfillment for any Data Principal request, and the Grievance Officer / DPO publication fields built into the platform onboarding.

A 30-minute compliance sprint for your WhatsApp advisory

  1. Bind your handles on the SI Portal. Confirm the WhatsApp Business number you actually use matches the SEBI record. Fix if needed.
  2. Separate marketing from advice. Two distinct flows: an opt-in education Broadcast and a per-client advisory channel. Do not mix.
  3. Publish your fee slab. A public page, linked from your WhatsApp Business profile and your registered website.
  4. Verify retention. Confirm your platform stores messages with timestamps for five years and can export on demand. If you are on RichAutomate, this is default-on.
  5. Schedule the half-yearly compliance audit. Pick your CA, CS or now-eligible Cost Accountant. Calendar the audit window so you do not slip.
  6. Wire DPDP basics. Privacy policy live, consent log captured per recipient, Grievance Officer published, deletion path documented.
  7. Document research distribution. Every WhatsApp research broadcast references the corresponding full published note URL and timestamp.

Comparing platforms for SEBI-fit WhatsApp advisory

Generic WhatsApp Business solutions do not think about the SEBI audit trail or DPDP retention as first-class features — they treat them as something the customer should "configure". When you are picking a platform, the questions worth asking your vendor sit alongside the obvious ones around pricing and templates:

  • Can the platform export every message for my tenant, for any date range, in a single CSV/JSON bundle keyed to my SEBI registration number?
  • Does it support a tenant-scoped retention policy I can set per regulatory requirement (five-year minimum)?
  • Can I gate certain flows (e.g. personalised advisory) behind an internal check that the recipient is an onboarded, risk-profiled client?
  • Does the platform publish a DPDP-compliant DPA I can sign?
  • Is the messaging infrastructure aligned with the WhatsApp Business API rather than scraped/personal-account workarounds (which are independently SEBI- and Meta-unfriendly)?

Side-by-side, see how the major Indian providers handle this in our comparison pages: Wati vs RichAutomate, AiSensy vs RichAutomate, Interakt vs RichAutomate, and the 2026 best-API-for-India pillar.

Where this is heading

The trajectory is unambiguous. SEBI is treating WhatsApp as a first-class regulated channel, not a side-channel exempt from inspection. The verified-handle rule has closed the impersonation door for legitimate intermediaries. The Feb-2026 master circulars have given inspectors a single playbook to work from. The finfluencer framework continues to tighten, with each crackdown order narrowing the operating room for unregistered tip groups further. The 1,400 registered RIAs and the registered RAs alongside them now have, for the first time, a workable regulatory map for WhatsApp-led advisory. The cost of getting it right is small — bind your handle, separate the flows, retain the messages, publish your fees. The cost of getting it wrong has scaled steeply.

Get this set up

If you are a SEBI-registered IA or RA evaluating how to bring your WhatsApp practice into compliance with the 2026 posture — verified handle, segregated flows, five-year retention, half-yearly audit-ready export — we can have your tenant configured inside 30 minutes. Book a 30-minute setup call or message us on WhatsApp at +91 74349 01027.

SEBI-fit setup

Get your WhatsApp advisory inspection-ready.

30-minute setup. We align your WhatsApp Business number to your SEBI record, separate education and advisory flows, configure retention to the five-year minimum, and hand you a one-click compliance export.

Book setup call WhatsApp +91 74349 01027

Frequently asked questions

I am a SEBI-registered Investment Adviser. Can I run a WhatsApp group with my clients?

Yes — and a one-to-many WhatsApp Broadcast or Group with your own onboarded advisory clients is entirely permitted. What changed in 2024–2026 is that you must (a) verify the handle/number used for the advisory persona under the SEBI March-2025 verified-social-handle framework, (b) preserve message records for the statutory five-year retention window, and (c) keep marketing/general content clearly separated from personalised advice given to a specific client. A group where you push trade ideas to non-clients without a written advisory agreement and risk profile on file is the failure pattern SEBI has been issuing notices on.

What is the "verified social media handle" rule and when did it kick in?

In a circular dated 22 March 2025, SEBI directed all registered intermediaries (including IAs and RAs) to use only social media accounts whose phone/email is verified against the records on file with SEBI. The intent: stop impersonators pretending to be famous registered advisers. In practice you complete the binding on the SI Portal, and your WhatsApp Business number must be the number SEBI has on record for the entity. We help tenants align their WhatsApp Business Account phone number with the SEBI-registered number during onboarding.

What does the February 2026 master circular actually change for me?

On 17 February 2026 SEBI issued a consolidated master circular for Investment Advisers and a parallel one for Research Analysts that pulls together every operational direction issued over the prior 12 years. The most operationally relevant additions: cost accountants in practice are now accepted (alongside chartered accountants and company secretaries) as the independent professional who can audit your annual compliance, the half-yearly compliance audit report deadlines are codified, and the retention/audit-trail expectations for digital communications — including WhatsApp — are spelled out more explicitly. Read it as a "single source of truth" replacing the patchwork of earlier circulars.

Where exactly is the line between "investor education" and "investment advice"?

Advice is personalised — directed at an identifiable person or addressing their specific situation, holdings, or goals. Education is generic — explains how SIPs work, what an STP is, how index funds differ from active funds. The moment you tell a person or a closed group "buy X, target Y, stop-loss Z" you have crossed into advisory territory and either you are SEBI-registered with that client onboarded and risk-profiled, or you are operating illegally. The crackdowns on paid WhatsApp tips groups since 2023 all rested on this distinction.

Can a Research Analyst share a "buy" call on a WhatsApp Broadcast?

A SEBI-registered RA can distribute their published research — including buy/sell recommendations — provided (i) the full disclosures mandated under the RA Regulations 2014 accompany the recommendation, (ii) the price/time of the original report is disclosed if the WhatsApp message is a derivative communication, and (iii) the recipient list does not include anyone who has been promised personalised advice (which is the IA boundary, not the RA boundary). The February 2026 RA master circular makes the disclosure formatting requirements unambiguous.

Do I really need to retain WhatsApp messages for five years?

For SEBI-registered intermediaries the answer is yes — the audit-trail obligation applies to any communication that constitutes part of the advisory or research function, regardless of channel. Practically this means an export of your business WhatsApp messages — with timestamps, recipient identifiers and content — must be retrievable for the SEBI inspection window. A tenant on RichAutomate has every message stored in the database with tenant-scoped retention by default; we offer a one-click compliance export keyed to your SEBI registration number.

I am a finfluencer with 200k followers, not SEBI-registered. Can I still do WhatsApp?

You can run a WhatsApp channel for education, market commentary, and your own content distribution. What you cannot do — post the 2024 SEBI–MIB framework on unregistered finfluencers — is provide personalised investment advice, share specific recommendations targeting price/return, run paid tips groups, or collaborate with SEBI-registered entities in a way that effectively passes registered-entity protection to your unregistered activity. The financial incentive line is bright: payments tied to investment outcomes pulls you straight into SEBI jurisdiction.

What are the penalty exposures if I get this wrong?

SEBI has, since 2023, ordered disgorgement of fees, banned individuals from securities markets for periods up to 10 years, and levied monetary penalties in the ₹2–₹15 crore range against unregistered WhatsApp/Telegram tip-group operators. Registered IAs/RAs caught with deficient audit trails or non-compliant advertising have faced lower but still material penalties (₹1–₹25 lakh) plus mandatory rectification. Add DPDP Act exposure if you mishandle the personal data of subscribers — up to ₹250 crore at the high end for the most serious data fiduciary violations.

Verified handle

Aligns your WhatsApp Business number with the SEBI record under the March 2025 framework.

Five-year retention

Every message stored tenant-scoped with timestamps. One-click export keyed to your SEBI registration.

Inspection-ready

Flow segregation between marketing and advisory keeps the IA Regulations boundary clean by default.

Related reading

DPDP Act 2023 WhatsApp compliance

Consent, retention, Grievance Officer, deletion fulfillment — the data side of advisory WhatsApp.

WhatsApp client onboarding & KYC

Agreement, risk profile, suitability — all captured inside the same flow that brings the client onto WhatsApp.

India regulation pillar

SEBI · RBI · IRDAI · DPDP · TRAI · Meta — the unified regulatory map for WhatsApp in India.

AiSensy vs RichAutomate

Compare how Indian providers handle the SEBI/DPDP audit-trail expectations.