NSE’s New Retail Algo Trading Rules: What Every Investor Must Know

Background: Why This Circular Matters

With the rise in popularity of algorithmic trading among retail investors, ensuring market integrity, investor protection, and systemic risk management has become critical. Responding to SEBI's directive (Circular SEBI/HO/MIRSD/MIRSD PoD/P/2025/0000013 dated February 4, 2025), the NSE has now formalized operational standards to regulate API-based access and algo usage.

These rules aim to provide a structured, safe, and transparent environment for retail algo trading, while addressing misuse or excessive trading that may affect market stability. So, let us understand what these new rules are:

A. API Access Standards for Retail Clients

• Static IP Mandatory: Clients must provide a static IP address to access APIs. Only one static IP is required, though a backup is allowed.
• Multiple API Keys: Clients can have multiple API keys for different purposes (segments or algos), but IP address mapping is strictly enforced.
• Unregistered Algo Rules: Only one API key can be used for unregistered algos; all others must handle registered algos.
• Weekly IP Updates: IP changes are limited to once a week (exceptions allowed with justification).
• Family Sharing Allowed: Static IPs can be shared among family members if compliant with SEBI’s December 2024 guidelines.
• Mandatory Session Logout: All API sessions must end before the next trading day starts.

B. Guidelines for APIs Without Registered Algos

• OPS Threshold Limit: Orders per second (OPS) are capped at 10 per second, per Exchange.
• Registration Flexibility: If algo usage remains under 10 OPS, registration with the broker isn't needed, but Exchange registration is mandatory with a generic Algo ID.
• Broker Duties: Brokers must reject orders exceeding OPS and monitor usage continuously.
• Restricted Instruments: Certain contracts or securities may be blocked from retail algos.

C. For Registered Client-Generated Algos

• Above 10 OPS Needs Registration: If clients wish to exceed the OPS threshold, full registration of the algorithm with the Exchange is required.
• Tagging & Tracking: Each registered algo will have a unique ID; all orders must carry this tag.
• Change Management: Any changes to registered algos must be reported and re-registered as needed.

D. Broker-Generated Algos

• Brokers can create and offer algorithms to clients, but must register them with Exchanges.
• Clients must be informed about the algo’s functionality.
• Any modifications in logic or behaviour must be re-approved and updated with the Exchange.

E. Algo Providers and Their Responsibilities

• Empanelment Required: All third-party algo providers must be registered with Exchanges.
• Shared Algos: Once registered, algos can be used across brokers.
• Commercial/Technical Agreements: Brokers may share revenue or infrastructure with providers but must notify the Exchanges of such arrangements.
• Due Diligence: Brokers must monitor providers for compliance and report any violations.

F. Order Rate Limits

• OPS Cap: 10 orders per second per Exchange/segment is the hard limit unless revised by Exchanges.
• Brokers may impose stricter limits at their discretion.

G. Algo Tagging Mechanism

• All algo orders (registered or not) will be tagged with a unique Exchange-provided ID to ensure audit trails.

H. Comprehensive Risk Management

• Brokers must comply with all risk protocols outlined in NSE’s April 29, 2025 circular.
• Decision-support tools must be used responsibly, ensuring no market disruption.

I. Technical & Security Specifications

• Audit Trails: All orders via IBT, STWT, APIs must be traceable for at least 5 years.
• Cybersecurity: Compliant with SEBI’s cybersecurity directives (e.g., two-factor authentication, password expiry).
• OAuth Mandatory: Open APIs are not allowed; only whitelisted static IPs and secure API keys are permissible.
• Hosting Requirements: All retail algos must be hosted on Exchange-approved servers.

J. Additional Notes

• DMA Trading Excluded: These rules do not apply to Direct Market Access (DMA).
• Charges Allowed: Brokers can charge clients for API access in addition to regular brokerage.
• Exchange Intervention: Exchanges reserve the right to deactivate rogue algos affecting the market.

Final Thoughts

These new standards mark a major shift toward safer and more responsible participation of retail investors in algo trading. By mandating API control, OPS thresholds, algorithm tagging, and strong cybersecurity, the NSE ensures both innovation and investor protection are maintained.