SEBI CSCRF for Custodians: AUC Tiers & CCI Obligations
Custodians under SEBI CSCRF: Assets Under Custody drives three-tier classification (₹1L Cr, ₹10L Cr thresholds), CCI self-assessment at QRE, and what custodians of every size must do.
On this page (6)
Custodians — the entities that hold and safeguard securities on behalf of investors — are classified under CSCRF purely by Assets Under Custody (AUC). The framework uses a clean three-tier model with two thresholds, and at the top end, custodians inherit the full Qualified RE obligation set including CCI self-assessment.
AUC-tiered classification
| Tier | AUC (INR crores) |
|---|---|
| Qualified RE | ≥₹10,00,000 Cr (₹10 Lakh Cr) |
| Mid-size | ₹1,00,000 – <₹10,00,000 Cr |
| Small-size | <₹1,00,000 Cr |
There is no Self-cert tier and no exclusion category. Every custodian registered with SEBI is in scope — the only variable is tier.
What changes at each threshold
| Obligation | Small-size | Mid-size | Qualified RE |
|---|---|---|---|
| VAPT | Annual | Annual | Annual (half-yearly if CII) |
| Cyber Audit | Annual | Annual | Half-yearly |
| Red Teaming | — | — | Half-yearly |
| Threat Hunting | — | — | Quarterly |
| Cyber Drill | Annual | Annual | Half-yearly |
| CCI Assessment | — | — | Self-assessment annually |
| ISO 27001 | — | — | Recommended |
| IT Committee | Optional | Mandatory (quarterly + expert) | Mandatory (quarterly + expert) |
| CISO | Designated officer | Designated officer | Direct MD/CEO; ≥CTO/CIO |
| HSM | Risk-assessed alternative | Risk-assessed alternative | Mandatory |
| M-SOC | Mandatory (own-SOC carve-out) | Eligible | Eligible |
| RTO / RPO | Per CCMP | Per CCMP | 2 hr / 15 min |
The ₹1,00,000 Cr threshold (Mid-size) activates the mandatory IT Committee with external cyber expert and makes M-SOC eligible rather than mandatory. The ₹10,00,000 Cr threshold (QRE) activates the full Qualified RE suite: half-yearly cyber audits, red teaming, threat hunting, CCI self-assessment, dedicated CISO, HSM mandate, and IOSCO-aligned RTO/RPO.
The CCI obligation for QRE custodians
At QRE tier, custodians must complete a Cyber Capability Index (CCI) self-assessment annually. CCI is defined in CSCRF Annexure-K and is a structured self-assessment against NIST CSF 2.0 control domains. The output is not a pass/fail score — it is a maturity snapshot used by the IT Committee to track cyber resilience posture year-over-year.
Per the Aug 2025 clarifications (CIR/2025/119), CCI remains self-assessment for QREs — no third-party assessment requirement applies (that obligation stays with MIIs).
DDP: the highest-of-DP-and-Custodian rule
Designated Depository Participants (DDPs) are a hybrid entity type. Per CSCRF §2, DDP classification is the highest of DP and Custodian categorisation. If a DDP has:
- DP classification: Qualified RE (always QRE for non-broker DPs)
- Custodian AUC: ₹80,000 Cr (Small-size)
The DDP classification is QRE — the DP tier wins.
This rule can work both ways. If the custodian AUC is large enough to drive QRE classification independently, the DDP inherits QRE regardless of the DP classification.
Practical steps
AUC is your classification basis. Confirm your current AUC as reported to SEBI. Classification is at the start of each financial year.
If approaching Mid-size (₹1,00,000 Cr AUC). Stand up the IT Committee (mandatory, quarterly, external expert). Move M-SOC from mandatory to eligible status.
If approaching QRE (₹10,00,000 Cr AUC). Prepare for half-yearly cyber audits, red-teaming, threat hunting, CCI self-assessment, dedicated CISO, HSM deployment, and 2-hr/15-min RTO/RPO targets. This is a multi-quarter compliance ramp — start before crossing the threshold.
CCI: prepare your first self-assessment. Even if not yet audited, running a dry-run CCI self-assessment maps your NIST CSF maturity and identifies gaps before the formal submission.
FAQ
Does custodian tier depend on the number of clients or folios?
No. Custodian classification is purely AUC-based. Client count and folio count are not tier-driving metrics for custodians.
Are foreign custodians (FPI custodians) in CSCRF scope?
Registered custodians — whether domestic or foreign — are in scope. Foreign Portfolio Investors (FPIs) and Foreign Venture Capital Investors (FVCIs) themselves are excluded from CSCRF entirely.
What if my custodian AUC crosses the Mid-size threshold mid-year?
Classification is at the start of the financial year. Mid-year threshold crossings activate the new tier at the start of the next FY. However, CSCRF expects regulated entities to be "substantially compliant" — pre-emptive ramp is recommended.
Content current as of 2026-05-06. Source: docs/SEBI-CSCRF-FACTCHECK-2026-05-06.md.
About the authors
Founder & Chief Technology Officer
Founded Security Brigade in 2006 with the thesis that security assessment quality should be structural, not dependent on individual testers. 16+ years building platforms, teams, and methodologies that make enterprise security consistent.
Offensive Security Research · Security Brigade
A rotating byline for collaborative analysis pieces from Security Brigade's offensive security and threat-research practice.
Continue reading
All articles →SEBI CSCRF in 2026: A Complete Guide for SEBI Regulated Entities
A comprehensive guide to SEBI's Cybersecurity and Cyber Resilience Framework — the 5-tier model, 22 entity types, amendment history through Aug 2025, and what every regulated entity needs to do in FY 2026-27.
OWASP Mobile Top 10 (2024): The Definitive Guide for Indian Mobile App Teams
A reference walkthrough of every risk in the OWASP Mobile Top 10 (2024 release) — what each risk means in plain English, how attackers exploit it on Android and iOS, what your engineering team should fix, and how a CERT-In empanelled pentest validates the fix.
SEBI CSCRF for KRAs & QRTAs: The April 2025 Demotion & What It Means
KYC Registration Agencies were reclassified from MII to Qualified RE in April 2025. QRTAs (≥2 Cr folios) remain at MII tier. What changed, what stayed, and what KRAs and QRTAs must do now.