Compliance Solutions for IT Companies

Compliance Solutions for IT Companies

Indian IT and SaaS companies in FY 2026-27 must navigate six parallel compliance tracks at once: corporate ROC filings on MCA V3, direct-tax obligations including transfer pricing under Sections 92–92F of the Income-tax Act, zero-rated GST exports backed by a valid Letter of Undertaking (LUT) and Rule 89(4) refund claims, FEMA/RBI obligations centred on Softex declarations and the FLA return, the now-operational DPDP Act framework, and ESOP perquisite-tax compliance. Miss any single track and you risk late fees, blocked foreign remittances, transfer-pricing additions or Data Protection Board penalties reaching Rs. 250 crore. This guide maps every obligation for AY 2027-28 with due dates, Rs. worked examples, and the mistakes that most consistently derail otherwise well-run IT firms.

Why IT Compliance Is Different from Traditional Business

A manufacturing or trading company earns rupee revenue, employs staff on fixed salaries and holds physical assets. An Indian IT or SaaS company does none of those things cleanly.

Revenue arrives in foreign currency. Every dollar or pound received triggers FEMA reporting, FIRC reconciliation and Softex obligations before you can even recognise the income in your books.

Compensation is equity-heavy. ESOP grants, vesting, exercise and eventual sale each trigger separate tax events and, for listed companies, SEBI SBEB Regulation disclosures. A single exercise event in the wrong month can create a TDS default.

Data crosses borders. User data from India, the EU and the US flows through your servers or your SaaS vendor's servers, invoking the DPDP Act, GDPR where applicable, and US state privacy laws.

Group structures are multi-jurisdictional. A Delaware C-Corp parent, a Singapore holding entity or a GIFT City subsidiary creates transfer-pricing exposure under Sections 92–92F and ODI reporting obligations under FEMA. Both feed back into your Indian company's books.

The result: a 55-person Indian SaaS company can carry a compliance footprint larger than a 500-person FMCG distributor. Each regulatory layer intersects the others — a Softex gap affects your GST refund claim; an unresolved transfer-pricing question affects your advance-tax liability. Understanding these connections is what separates reactive fire-fighting from a proactive compliance posture.

Pillar 1: Corporate and ROC Compliance on MCA V3

Every Indian IT company incorporated under the Companies Act 2013 has standing obligations on the MCA V3 portal. The key annual forms and their FY 2026-27 due dates are:

Late-fee arithmetic: The MCA levies an additional fee of Rs. 100 per day for every day of default beyond the due date — on top of the normal filing fee. A company that files AOC-4 just 90 days late accumulates Rs. 9,000 in additional fees on that single form, before any compounding proceeding or prosecution under Section 454.

Board Governance Essentials

Tech founders routinely treat board minutes as a post-facto formality. In practice, every ESOP allotment, every inter-company service agreement, every related-party transaction and every change in authorised capital must be backed by a board or shareholder resolution — and filed with the ROC where required. Omissions discovered during a Series B or PE due diligence are expensive to cure retrospectively and sometimes impossible to regularise without risk under Section 447.

For LLPs — common among smaller IT services firms — Form 11 (Annual Return) is due within 60 days of the financial year close: 30 May 2026 for FY 2025-26. Form 8 (Statement of Accounts and Solvency) is due 30 October 2026. Late fee: Rs. 100 per day per form, identical to companies.

Pillar 2: Direct Tax — Advance Tax and Transfer Pricing for AY 2027-28

Advance Tax Instalments

For income earned in FY 2026-27 (AY 2027-28), pay advance tax on or before:

1. 15 June 2026 — 15% of estimated annual tax
2. 15 September 2026 — 45% cumulative
3. 15 December 2026 — 75% cumulative
4. 15 March 2027 — 100% cumulative

Any shortfall attracts interest under Section 234B (1% per month on the shortfall from 100%) and Section 234C (1% per month on each instalment shortfall). IT companies with lumpy Q4 billing — common when year-end renewals spike in February and March — frequently underestimate the December and March instalments. Build a rolling 90-day revenue forecast into your advance-tax workings from the very first quarter.

Transfer Pricing Under Sections 92–92F

If your company bills a related party abroad — a US parent, a Singapore holding entity, or a group entity in any jurisdiction — every such transaction must be benchmarked at arm's length. Documentation requirements:

1. Local File — functional, asset and risk (FAR) analysis plus benchmarking study using an accepted method (TNMM, CUP, Cost Plus, etc.)
2. Form 3CEB — Transfer Pricing Accountant's Certificate, due 31 October 2026 for AY 2026-27 (the assessment year covering FY 2025-26 income, which you certify during FY 2026-27)
3. Master File (Form 3CEAA) — required if your group's consolidated revenue exceeds Rs. 500 crore
4. Country-by-Country Report (Form 3CEAD) — required if consolidated group turnover exceeds Rs. 5,500 crore (approximately USD 660 million)

Finance Act 2026 has retained safe-harbour margins for software development and IT-enabled services under Rule 10TD — verify the applicable margin against the current CBDT notification, as thresholds differ by transaction size. A cost-plus margin of 8–10% reported in your Local File, compared against Indian IT benchmarks typically earning 18–22% operating margins, is an open invitation to a transfer-pricing adjustment.

Worked TP exposure: Your Indian company provides software development services to its US parent. Reported cost: Rs. 10 crore. Margin charged: 10%, yielding revenue of Rs. 11 crore. Transfer-pricing officer benchmarks at a 20% TNMM margin and recharacterises revenue at Rs. 12 crore. Addition: Rs. 1 crore. Tax on addition at 25.17%: Rs. 25.17 lakh. Add interest under Sections 234B/234C for the underpaid advance tax: approximately Rs. 5–8 lakh depending on when assessment is completed. Total exposure from a single under-priced intercompany arrangement: Rs. 30–33 lakh.

Form 15CA/15CB on Foreign Remittances

Every payment to a non-resident that is chargeable to tax in India — management fees, royalties, technical-service fees, software licence payments to foreign vendors — requires a Form 15CA (online declaration on the income-tax portal) and, for aggregate payments exceeding Rs. 5 lakh in a financial year, a Form 15CB (CA certificate confirming withholding tax adequacy). Most IT companies remitting payments to foreign SaaS platforms (AWS, Google Cloud, Salesforce, Adobe) must run a 15CA/15CB check monthly.

Pillar 3: GST on Export of Services — Earning Zero-Rating the Right Way

An export of services under Section 2(6) of the IGST Act 2017 is zero-rated under Section 16, letting you supply without charging GST and claim a full refund of accumulated Input Tax Credit. The zero-rating holds only if all five conditions of Section 2(6) are satisfied simultaneously:

1. The supplier is located in India
2. The recipient is located outside India
3. The place of supply is outside India
4. Payment is received in convertible foreign exchange (or in INR where RBI permits)
5. The supplier and recipient are not merely establishments of the same entity (so inter-branch billing to your own foreign office does not qualify)

CBIC audit disputes concentrate on conditions 3 and 4. Ensure your contracts specify the place of performance is India and that payment terms require foreign-currency settlement.

LUT Renewal for FY 2026-27

File Form RFD-11 on the GST portal before your first zero-rated supply of FY 2026-27. The LUT must be renewed every financial year. Exporting after April 1 without a valid LUT forces you to charge IGST on each invoice, then file a cash refund claim — tying up working capital for months. Calendar LUT renewal for the last week of March each year without exception.

Calculating Your Rule 89(4) Refund

The formula for accumulated-ITC refund on zero-rated exports:

> Refund = Net ITC × (Zero-Rated Turnover ÷ Adjusted Total Turnover)

Example: Your company exports services worth Rs. 1.8 crore in a quarter. Adjusted total turnover for the quarter: Rs. 2.25 crore. Accumulated ITC: Rs. 18 lakh. Refund = Rs. 18 lakh × (Rs. 1.8 crore ÷ Rs. 2.25 crore) = Rs. 14.4 lakh.

File the refund application in Form RFD-01 on the GST portal within two years of the relevant date — for export of services, the relevant date is the date of receipt of payment in convertible foreign exchange. Miss this window and the refund is permanently extinguished. Always obtain the eBRC (Electronic Bank Realisation Certificate) from your AD bank promptly; you cannot file RFD-01 without it.

What CBIC Auditors Scrutinise

• A gap of more than 12 months between your GST invoice date and the date of FIRC/eBRC receipt — prolonged non-realisation triggers zero-rating challenges
• Contracts governed by Indian law or with dispute-resolution in Indian courts — not automatically disqualifying, but requires contemporaneous explanation
• Sub-contracting an entire project to an Indian vendor and invoicing the foreign client — the export character is defensible only if you retain IP ownership and delivery risk

Pillar 4: FEMA Compliance, Softex Filing and RBI Reporting

Softex Filing: A Step-by-Step Process

Every Indian IT company that exports software or software-related services through data links or electronic transmission must submit a Softex declaration to its Authorised Dealer (AD) bank. The bank processes it through RBI's EDPMS (Export Data Processing and Monitoring System). The process:

1. Raise the invoice in foreign currency on your overseas client
2. Within 30 days of the invoice date, submit Softex forms to your AD bank along with the invoice and underlying contract
3. The AD bank certifies the forms and routes them through EDPMS; for STPI-registered units, the STPI officer may be an additional signatory
4. On receipt of payment, collect the FIRC (Foreign Inward Remittance Certificate) and the eBRC from your bank
5. Reconcile every outstanding Softex filing against a corresponding eBRC on a monthly basis in EDPMS

A backlog of unreconciled Softex forms creates a FEMA violation for delayed realisation. The penalty under FEMA can be up to three times the amount involved — though compounding officers typically settle at a fraction of the maximum, the compounding process itself consumes 6–12 months of management bandwidth and legal cost.

FLA Return and ODI Reporting

If your company has received FDI at any time or has made an Overseas Direct Investment, you must file the Foreign Liabilities and Assets (FLA) Return on RBI's FLAIR portal by 15 July 2026 (covering FY 2025-26 data). Non-filing is a FEMA violation in its own right, carrying penalties of Rs. 5,000 per day of continuing default.

For companies with wholly owned overseas subsidiaries:

• File the Annual Performance Report (APR) in the prescribed Form by 31 December of each calendar year, reporting the subsidiary's audited financials
• Maintain an up-to-date fair-value assessment of your overseas investment in your records for ODI compliance

Pillar 5: DPDP Act Obligations for IT Companies

The Digital Personal Data Protection Act 2023 and its Rules — operationalised through FY 2026-27 — impose structured obligations on any entity that processes the personal data of Indian residents in digital form. This captures virtually every Indian IT company: your employee HR data alone qualifies.

Your baseline obligations as a Data Fiduciary:

• Publish a privacy notice in clear, plain language specifying the purpose of processing, categories of data collected, retention period, and the data principal's rights — before or at the time of collection
• Obtain explicit, purpose-specific consent (or rely on a specified legitimate use) for each category of processing; a generic "I agree to terms" checkbox on signup does not satisfy the Act
• Maintain a Record of Processing Activities (RoPA) — documenting what data you collect, why, how long you retain it, and every third party with whom you share it
• Respond to Data Principal requests (access, correction, erasure, nomination) within the period notified by the Central Government — currently expected to be 30 days; confirm against the current gazette notification
• Notify the Data Protection Board and affected data principals of any breach within 72 hours of becoming aware

Significant Data Fiduciary Status

If the Central Government notifies your company as a Significant Data Fiduciary (based on volume and sensitivity of data processed), additional obligations apply: appointing a Data Protection Officer (DPO) resident in India, conducting periodic Data Protection Impact Assessments (DPIAs), and commissioning independent audits of your processing activities.

Penalty Schedule

These are per-violation caps, not annual maximums. A single undisclosed breach affecting 50,000 users can simultaneously attract the Rs. 200 crore breach-notification penalty and the Rs. 250 crore security-safeguards penalty.

Pillar 6: ESOP Compliance — Perquisite Tax, TDS and Capital Gains

ESOPs are the standard currency of Indian IT hiring. They also create a three-stage compliance chain that must be tracked in real time.

Stage 1 — Grant: For unlisted companies, obtain board and shareholder approval under Section 62(1)(b) of the Companies Act 2013 and Rule 12 of the Companies (Share Capital and Debentures) Rules, 2014. Maintain an ESOP Register with grant date, exercise price, vesting schedule and exercise date per employee. File Form PAS-3 (return of allotment) within 30 days of each allotment triggered by option exercise.

Stage 2 — Exercise: The perquisite value is taxable as salary under Section 17(2)(vi) of the Income-tax Act in the year of exercise.

Worked example: An employee exercises 1,000 options. Exercise price: Rs. 50. FMV on the exercise date (determined by a registered valuer for unlisted companies): Rs. 800. Perquisite value = (Rs. 800 – Rs. 50) × 1,000 = Rs. 7,50,000. Employer must deduct TDS under Section 192 in the month of exercise. At an effective marginal rate of 34.32% (including surcharge and cess for an employee in the highest bracket), TDS = approximately Rs. 2,57,400. Deferring this TDS to the annual April salary-processing cycle creates a Section 201(1A) interest liability of 1.5% per month from the month of exercise.

Stage 3 — Sale: Capital gains tax arises on the difference between sale price and FMV on the exercise date (which becomes the cost of acquisition). For unlisted shares held beyond 24 months: Long-term Capital Gains taxed at 12.5% without indexation (per Finance Act 2024). For listed shares held beyond 12 months: LTCG above Rs. 1.25 lakh taxed at 12.5% under Section 112A. Employees exercising in one tax year and selling in another face a two-year audit trail requirement.

For listed companies, SEBI SBEB Regulations 2021 additionally require disclosure of ESOP scheme details in the annual report and a certificate from a practising company secretary confirming scheme compliance.

Common Mistakes IT Companies Make — and How to Fix Them

1. Filing Softex late or not at all Many bootstrapped IT firms assume that receiving payment in their bank account closes the loop. It does not. Softex must be filed within 30 days of invoice, independent of when payment arrives. Three-year Softex backlogs — discovered only when the company seeks RBI approval for an overseas acquisition — require a formal compounding application. Fix: Assign Softex filing to your AD bank relationship manager with a standing calendar reminder on the 25th of every month.

2. Skipping LUT renewal before April 1 A company that exports services between April 1 and the date it files its LUT is technically making a taxable supply, not a zero-rated one. It must either pay IGST on those invoices or return to the export recipient with a revised invoice — neither is simple. Fix: File Form RFD-11 before March 28 each year. Treat it as a hard deadline equivalent to advance-tax.

3. Treating intercompany billing as non-transfer-pricing An Indian subsidiary billing its US parent a fixed Rs. 1.5 crore monthly "platform access fee" without a benchmarking study is fully exposed to a transfer-pricing addition. The burden of proof to establish arm's length rests on the taxpayer under Section 92F. Fix: Commission a brief Local File and comparables analysis every financial year, updated with actual financials before Form 3CEB is filed.

4. Missing ESOP perquisite TDS in the exercise month This is the single most common ESOP compliance failure. Employers defer perquisite TDS to the April payroll reconciliation or to the Form 16 cycle. Section 192 is unambiguous: TDS must be deducted in the month of exercise. Fix: Build an ESOP exercise notification workflow into your HRMS so Finance receives same-day notice of every exercise and processes a mid-month payroll adjustment.

5. Treating DPDP consent as a one-time event Consent under the DPDP Act must be granular, purpose-specific and revocable on demand. A single privacy-policy checkbox collected at account creation satisfies none of these requirements. More critically, if you share personal data with third-party vendors (cloud providers, analytics tools, marketing platforms), each vendor relationship may require its own consent or a Data Processing Agreement. Fix: Implement a layered consent management system; audit vendor contracts quarterly; map every data flow in your RoPA to a legal basis.

6. Missing the FLA return deadline The FLA return (15 July) falls during the busiest compliance month of the year — overlapping with GST returns, advance-tax planning and ROC filings. IT companies with FDI routinely miss it. Fix: Assign FLA return to the CFO's calendar in early June with a two-week preparation buffer.

Worked Example: A Rs. 25 Crore SaaS Firm's Compliance Exposure

Consider AlphaStack Pvt. Ltd., a representative mid-stage Indian SaaS company: Rs. 25 crore in FY 2026-27 revenue (90% in USD), 55 employees with active ESOPs, a wholly owned Delaware subsidiary, and 80,000 Indian B2B users whose data it processes.

Scenario A — Softex backlog AlphaStack omits Softex on 18 invoices totalling USD 5,00,000 (approximately Rs. 4.15 crore) in Q1 FY 2026-27. Discovered in August, the company files a FEMA compounding application. The maximum compounding exposure is 3× the unreported amount — Rs. 12.45 crore — though the actual settlement is typically a fraction of this. The process alone: 8–10 months, legal fees of Rs. 3–5 lakh, and blocked ability to remit dividends to the Delaware subsidiary until resolution.

Scenario B — GST refund permanently lost AlphaStack exports Rs. 22 crore in services. Adjusted total turnover: Rs. 25 crore. Accumulated ITC: Rs. 88 lakh. Eligible refund = Rs. 88 lakh × (22/25) = Rs. 77.44 lakh. If RFD-01 is not filed within two years of eBRC dates, this refund lapses. In a thin-margin SaaS business, Rs. 77 lakh represents several months of senior-engineer salaries.

Scenario C — Transfer-pricing addition AlphaStack charges its Delaware subsidiary Rs. 15 crore for software development at a 6% operating margin. CBDT benchmarking places the industry at 20%. Transfer-pricing officer's notional adjustment: Rs. 15 crore × (20% – 6%) on cost = addition of approximately Rs. 2.1 crore. Tax at 25.17%: Rs. 52.86 lakh. Interest under Sections 234B/234C: Rs. 10–12 lakh. Total: approximately Rs. 63–65 lakh from a single underpriced intercompany arrangement that had never been challenged before.

The combined exposure across these three scenarios exceeds Rs. 13 crore — for a company that appeared compliant on its face.

Your FY 2026-27 Compliance Calendar

Assign a named owner to every row. Review at each monthly finance-team meeting.

Key Takeaways

• Zero-rated GST is earned, not assumed: LUT must be filed before April 1, eBRCs must be obtained promptly, and RFD-01 refund applications must be filed within two years of foreign-exchange receipt — there is no extension.
• Softex is the foundation of your foreign-currency compliance stack: a filing gap that looks trivial in April can become a FEMA compounding proceeding worth multiples of the original invoice by October.
• Transfer pricing applies to every intercompany transaction, however small — a Rs. 1 crore monthly service fee to a related party abroad requires a benchmarking study, not just a contract.
• ESOP perquisite TDS must be deducted in the month of exercise: deferring to the April payroll cycle creates a Section 201(1A) interest liability that compounds monthly.
• DPDP Act penalties are real and large: Rs. 250 crore for data-security failures, Rs. 200 crore for breach non-disclosure. Build consent management and 72-hour breach-response workflows before you need them.
• FLA return, APR and ODI filings sit outside the normal tax calendar and are easily missed — they require their own calendar entries with two-week preparation buffers.
• A single compliance calendar with named owners is the most effective tool an IT company can build: six regulatory tracks converge into one manageable cadence, and accountability is explicit rather than assumed.