India Regulatory Compliance for Foreign Business
Seven major regulatory frameworks. Over 100 annual filings. Penalties that reach three times the contravention amount. India's compliance landscape does not forgive unfamiliarity — it penalises it.
The Compliance Architecture: What India Demands from Foreign Businesses
India does not have a single regulatory framework. It has at least seven major overlapping frameworks, each administered by a different regulator, each with its own filing deadlines, documentation standards, penalty provisions, and enforcement culture. For a foreign company operating through an Indian subsidiary, this means navigating the Companies Act (MCA), FEMA (RBI), Income Tax (CBDT), GST (CBIC), four Labour Codes (Ministry of Labour), DPDPA (Data Protection Board), and sector-specific regulations simultaneously.
The complexity is not just the number of laws — it is the interaction between them. A single inter-company transaction between the WOS and its parent triggers FEMA pricing guidelines, transfer pricing documentation under the Income Tax Act, GST implications on imported services, and DPDPA considerations if the transaction involves data processing. A single employee hire triggers EPF registration, ESI registration, Professional Tax enrollment, TDS compliance, POSH obligation, and DPDPA consent requirements.
For foreign companies, this multi-law compliance burden is compounded by unfamiliarity — regulations that are intuitive to Indian businesses (because they have lived with them for decades) are opaque to foreign managers encountering them for the first time. The consequence of ignorance is not forgiveness — it is penalties, prosecution notices, and reputational damage. AMLEGALS structures compliance as an architecture, not a checklist. Explore: AMLEGALS Corporate Law Practice.
FEMA Ongoing Compliance: Every Cross-Border Rupee Has a Paper Trail
FEMA compliance for foreign entities is not a one-time registration — it is a continuous obligation that attaches to every cross-border transaction for the life of the entity. The RBI tracks foreign investment, profit repatriation, royalty payments, inter-company loans, and share transfers through a series of mandatory reports that must be filed within specific windows.
Capital account compliance includes: FC-GPR (within 30 days of share allotment to non-residents), FC-TRS (within 60 days of share transfer between residents and non-residents), Annual Return on Foreign Liabilities and Assets (FLA Return by July 15), downstream investment reporting for Indian companies with foreign ownership making further investments, and ECB reporting for inter-company loans (monthly within 7 working days of drawdown, annual within 30 days of financial year end).
Current account compliance covers: pricing of royalty and technical service fee payments under relevant RBI Master Directions, withholding tax compliance on outbound payments, documentation of business purpose for management charges and cost-sharing arrangements, and remittance documentation through the AD bank for each outbound payment.
The penalty framework is strict: up to 3x the contravention amount under Section 13, plus Rs. 5,000 per day for continuing defaults. Directors can be held personally liable. AMLEGALS manages FEMA as a dedicated compliance workstream, ensuring every filing is made within the statutory window. Read: FEMA Compounding Rules 2024.
Companies Act Compliance: Governance Filings and Statutory Obligations
The Companies Act 2013 imposes a structured governance framework on every registered company — and foreign subsidiaries receive no exemptions. The MCA's compliance monitoring system has become increasingly automated, and defaults are flagged through the MCA21 portal with escalating consequences.
Annual filings: Financial statements (Form AOC-4) within 30 days of the AGM, Annual Return (Form MGT-7) within 60 days of AGM, Director KYC (DIR-3 KYC) by September 30 each year for every director. The AGM must be held within 6 months of the financial year end (September 30 for March FY companies). Board meetings: minimum 4 per year with the first meeting within 30 days of incorporation and a maximum 120-day gap between consecutive meetings.
Event-based filings: change of directors (DIR-12 within 30 days), change of registered office (INC-22), creation/modification of charges on assets (CHG-1 within 30 days of creation), related party transaction disclosures (Form MBP-4 maintained by every director), and allotment of shares (PAS-3 within 15 days). Non-filing of annual returns for 3 consecutive years triggers director disqualification under Section 164(2)(a) — a disqualification that follows the individual to every other company directorship they hold.
AMLEGALS manages MCA compliance as part of the integrated compliance calendar, ensuring every filing is made within the statutory window with correct documentation. Explore: Corporate Governance Advisory.
GST Compliance Operations: Monthly Returns, ITC Management and E-Invoicing
GST compliance is the most operationally intensive regulatory obligation for most businesses. Unlike annual filings that require attention once a year, GST demands monthly attention with real financial consequences for every error or delay.
Monthly compliance cycle: GSTR-1 (outward supply details) by the 11th, GSTR-3B (summary return with tax payment) by the 20th, and ITC reconciliation against the auto-populated GSTR-2B statement. For entities with turnover above Rs. 5 crores, e-invoicing through the Invoice Registration Portal is mandatory — every invoice must carry an Invoice Reference Number (IRN) before it is issued. E-way bills must be generated for goods movement above Rs. 50,000 within India.
ITC management is where foreign companies frequently encounter issues. Input Tax Credit can only be claimed on invoices reflected in the GSTR-2B auto-populated statement, and the time limit for claiming ITC is September 30 of the next financial year or the date of annual return filing, whichever is earlier. Discrepancies between the supplier's GSTR-1 and the entity's GSTR-3B create mismatches that trigger departmental scrutiny. AMLEGALS advises on ITC reconciliation processes and dispute resolution. Read our GST practice: AMLEGALS GST Advisory.
DPDPA 2023: Data Privacy Compliance for Foreign-Owned Entities
The Digital Personal Data Protection Act 2023 has created a new compliance dimension that did not exist before for foreign companies in India. Every foreign subsidiary processes personal data from Day One — employee data, customer data, vendor data, visitor data — and the DPDPA imposes specific obligations on how that data is collected, processed, stored, and transferred.
The DPDPA applies to Data Fiduciaries (entities determining the purpose and means of processing) and Data Processors (entities processing on behalf of fiduciaries). A foreign subsidiary is typically a Data Fiduciary for employee and customer data, and may also be a Data Processor for data processed on behalf of the foreign parent. Obligations include: obtaining informed consent with clear privacy notices, implementing data principal rights (access, correction, erasure, grievance redressal), data breach notification to the Data Protection Board within 72 hours, and ensuring cross-border transfer compliance under Section 16.
The DPDP Rules 2025 add operational specificity: consent manager registration requirements, algorithmic fairness obligations for automated decision-making, children's data processing restrictions (verifiable parental consent for data subjects below 18), and Significant Data Fiduciary obligations for entities processing large volumes of data. Penalties can reach Rs. 250 crores per violation. AMLEGALS structures DPDPA compliance during entity setup, not as a post-incident response. Read: DPDPA Decoded and Data Privacy Policy Framework.
Labour Code Compliance: The Four Codes That Govern Every Employee Relationship
India's labour regulatory framework has been consolidated from 29 central laws into four Labour Codes — and for foreign companies, this consolidation is both a simplification and a complexity. Simpler in structure, but demanding in its new definitions and expanded coverage.
Code on Wages 2019: introduces a universal minimum wage floor, standardises the definition of wages (including most allowances previously excluded), mandates equal remuneration irrespective of gender, and requires timely payment within defined periods. Foreign companies must recalculate their India pay structures against the new wage definition. Code on Social Security 2020: expands coverage to gig workers, platform workers, and unorganised workers; introduces portability of benefits; and mandates Aadhaar-linked universal social security accounts. Companies with 20+ employees must comply with Employees' Provident Fund (12% employer contribution), and companies with 10+ employees must comply with Employees' State Insurance.
Industrial Relations Code 2020: restructures standing orders, worker reclassification, and dispute resolution. OSH Code 2020: consolidates 13 safety laws into a single framework with unified licensing. POSH compliance (Prevention of Sexual Harassment Act 2013) is mandatory from the first employee — requiring an Internal Committee, complaints mechanism, annual reporting, and awareness training.
AMLEGALS provides "Global-Local" employment law advisory — ensuring foreign companies' India HR policies comply with Indian statute while preserving global corporate frameworks. Read: Employment Laws Overview and Labour Codes: Implementation Issues.
Transfer Pricing Compliance: The Most Scrutinised Area for Foreign Subsidiaries
Indian tax authorities operate one of the most aggressive transfer pricing enforcement regimes globally. Every related-party transaction between the Indian subsidiary and any associated enterprise — parent, sister company, or entity with 26%+ common ownership — must be at arm's length price under Section 92 of the Income Tax Act.
The documentation burden is substantial: contemporaneous transfer pricing study covering functional analysis, comparability analysis, method selection, and economic benchmarking for every international transaction category. Form 3CEB — the accountant's certification of arm's length compliance — must be filed with the income tax return by October 31. The penalties for non-compliance are designed to deter: 2% of transaction value for documentation failure, and 100-300% of tax on adjustment for incorrect pricing.
Common areas of TP scrutiny for foreign subsidiaries: management service fees (are the services actually rendered, are they not duplicative of functions performed locally, is the benchmarking methodology appropriate?), IP royalties (does the Indian entity actually use the IP, is the royalty rate comparable to third-party licences?), cost-sharing arrangements (is the allocation key appropriate, does the Indian entity benefit proportionally?), and corporate guarantees (is the guarantee fee at arm's length?). AMLEGALS works with specialised TP advisors to design the inter-company transaction structure from inception — because defending a poorly designed structure is exponentially more expensive than designing it correctly.
Sector-Specific Regulatory Requirements: The Layer Most Foreign Companies Discover Late
Beyond the seven horizontal regulatory frameworks, most sectors carry a regulatory overlay that adds specific licences, approvals, and ongoing compliance obligations — and the consequences of operating without the required licence range from penalties to business closure.
Financial Services: RBI licence for NBFCs, SEBI registration for portfolio management and investment advisory, IRDAI licence for insurance. These regulators conduct periodic inspections and require quarterly/annual reporting. FinTech entities face additional guidelines on digital lending, payment aggregation, and customer data protection. Manufacturing: Factories Act licence, Bureau of Indian Standards (BIS) certification for applicable products, Consent to Establish and Consent to Operate from the SPCB, hazardous waste management authorisation, and Import Export Code (IEC) for cross-border trade.
Food and Beverages: FSSAI licence (central for turnover above Rs. 12 crores, state for lower) with product-specific registration requirements and periodic factory audits. Pharmaceuticals: Drug Manufacturing Licence from state CDSCO, clinical trial approvals for new drugs, Good Manufacturing Practice compliance, and import/marketing authorisations. Technology and E-commerce: while no specific licence is required, compliance with the IT Act 2000, intermediary guidelines, Consumer Protection Act 2019 (for marketplace operators), and e-commerce FDI policy restrictions is mandatory.
AMLEGALS maps the sector-specific regulatory layer during the feasibility assessment phase. Explore: FinTech Legal Services and RegTech Compliance.
The Penalty Framework: What Non-Compliance Actually Costs
Indian regulators have moved from a culture of leniency to a culture of enforcement. Penalties are not merely theoretical — they are assessed, demanded, and collected with increasing efficiency through digital tracking systems, automated default detection, and inter-regulator information sharing.
FEMA: up to 3x the contravention amount plus Rs. 5,000/day for continuing defaults. Compounding under the 2024 Rules requires Rs. 10,000 filing fee plus the compounding amount. Companies Act: Rs. 10,000 to Rs. 5 lakhs per offence plus Rs. 1,000/day continuing penalty. Director disqualification under Section 164(2)(a) for non-filing of 3 consecutive annual returns — affecting the director across all companies. Income Tax: 200% penalty on undisclosed income (Section 270A), 2% of transaction value for TP documentation failure, interest at 1%/month for tax payment delays, and prosecution under Section 276C for wilful evasion.
GST: Rs. 10,000 or tax amount (whichever is higher) under Section 122, 100% penalty for fake invoices, and criminal prosecution with imprisonment up to 5 years for fraud exceeding Rs. 5 crores. DPDPA: up to Rs. 250 crores per violation — potentially the largest single penalty exposure. Labour Codes: imprisonment up to 3 months and/or fines for certain violations including non-payment of wages and POSH non-compliance.
The business case for proactive compliance is not philosophical — it is financial. The cost of establishing and maintaining a proper compliance framework is a fraction of the cost of a single material penalty, plus the reputational damage and management bandwidth consumed by enforcement proceedings.
AMLEGALS Compliance Advisory: Architecture, Execution and Defence
Compliance is not a checkbox exercise — it is an operational discipline that requires architecture, execution, and defence capability. AMLEGALS provides all three layers for foreign businesses operating in India.
Architecture: During entity setup, AMLEGALS maps every applicable regulatory framework, creates the master compliance calendar with all filing deadlines, establishes internal ownership designations, and implements the DPDPA, labour code, and GST compliance infrastructure.
Execution: Ongoing filing management across MCA, Income Tax, GST, FEMA, and Labour Codes. Document preparation, review, and submission within statutory windows. Transfer pricing documentation preparation and Form 3CEB certification coordination.
Monitoring: Quarterly compliance audits to identify gaps before they become defaults. Regulatory update alerts for changes affecting the entity's operations — FEMA notifications, GST circulars, MCA amendments, and DPDPA implementation developments. Impact assessments for material regulatory changes.
Defence: When compliance failures occur despite best efforts — penalty mitigation representation, FEMA compounding applications, income tax assessment representation, and dispute resolution across forums. AMLEGALS does not just file — we defend when filings are challenged or when past defaults surface during audits.
Write to [email protected] or call +91 8448 548 549. With 10 offices across India, AMLEGALS provides the state-specific regulatory expertise that multi-location operations demand.
What You Need to Know
Your India Operations Deserve a Compliance Architecture That Anticipates Every Regulator
Write to [email protected] or call +91 8448 548 549. AMLEGALS provides multi-law regulatory compliance advisory — from architecture through ongoing execution — across ten offices.
[email protected]