In India’s growing startup world, being a founder means doing more than just creating a product or getting funds. Founders are also expected to comply with an array of regulatory frameworks that govern every aspect of doing business from incorporation and foreign investments to capital markets and foreign exchange transactions. These regulations are administered by key statutory and regulatory bodies like the Ministry of Corporate Affairs (MCA), Reserve Bank of India (RBI), Securities and Exchange Board of India (SEBI), and provisions under the Foreign Exchange Management Act (FEMA).

While founders often focus on building their product or acquiring users, understanding and adhering to legal compliance requirements is equally critical for sustainability, reputation, and expansion. In this article, we explore what compliance really means for founders through the lens of these four major regulators, including recent changes, applicable sections, and mandatory filings.

In this article, CA Manish Mishra talks about MCA, FEMA, RBI, SEBI: What Compliance Really Means for Founders.

Ministry of Corporate Affairs (MCA): Laying the Legal Foundation

The Ministry of Corporate Affairs (MCA) governs the incorporation, regulation, and reporting of companies under the Companies Act, 2013 and the Limited Liability Partnership Act, 2008. Founders setting up companies whether Private Limited, OPC, or LLP must navigate the MCA’s compliance landscape right from day one.

Key MCA Compliance Requirements

• Commencement of Business (Section 10A): Companies must file Form INC-20A within 180 days of incorporation to declare they’ve commenced business. Failure to do so may lead to penalties and even strike-off.

• Annual Return (Section 92): Every company must file Form MGT-7 or MGT-7A with details of shareholding, board composition, and corporate structure within 60 days of the AGM.

• Financial Statements (Section 137): Form AOC-4 must be filed within 30 days of the AGM, enclosing the balance sheet, P&L account, and audit reports.

• Director KYC (Rule 12A): Every director holding a Director Identification Number (DIN) must file DIR-3 KYC annually, or risk DIN deactivation.

• Board and Shareholder Meetings: Under Section 173, companies must hold at least four board meetings annually, and an Annual General Meeting (AGM) under Section 96.

• Disclosure of Interest (Section 184): Directors must declare their interest in other companies/partnerships via Form MBP-1 annually.

Recent MCA Updates

• The MCA has transitioned most filings to the V3 portal which integrates PAN-based login and faster processing of e-forms.
• New forms such as SPICe+, AGILE Pro, and INC-9 now cover incorporation, GST, ESIC, EPFO, and Professional Tax in one unified application.

FEMA: Cross-Border Capital Flow

The Foreign Exchange Management Act, 1999 (FEMA) regulates foreign exchange transactions and is vital for startups raising foreign direct investment (FDI) or expanding globally. FEMA aims to facilitate orderly development and maintenance of the foreign exchange market in India.

Key FEMA Compliance for Founders

• FDI Reporting through FIRMS Portal:

• Form FC-GPR (Rule 23, FEMA Non-Debt Instruments Rules, 2019): To be filed when a company issues shares to a foreign investor within 30 days from the date of share allotment.

• Form FC-TRS: Required when shares are transferred between a resident and a non-resident.

• Downstream Investment Reporting: Indian companies receiving indirect FDI via another Indian entity (with foreign investment) must file Form DI.

• ODI Reporting (Overseas Direct Investment): Form FC and Entity Structure Return (ESR) for investment in joint ventures or wholly owned subsidiaries abroad.

• Annual Return on Foreign Liabilities and Assets (FLA): Mandatory for Indian entities receiving foreign investment or making ODI. Must be filed annually by 15th July.

Recent FEMA/RBI Updates

• In April 2025, the RBI mandated that all applications under FEMA be submitted via the PRAVAAH Portal from May 1, 2025, including ODI, LRS, and ECB-related filings.

• Non-compliance penalties have been updated under Section 13 of FEMA, ranging from monetary fines to compounding, and even prosecution in extreme cases.

Reserve Bank of India (RBI): Compliance for NBFCs, Fintechs & Payments

The Reserve Bank of India (RBI) is India’s central bank and monetary authority. RBI governs the financial and fintech sector, including NBFCs, digital lenders, payment aggregators, and foreign exchange regulations.

RBI Compliance for Founders and Startups

• NBFC Licensing (Section 45-IA, RBI Act, 1934): Startups engaged in lending or asset financing must register as an NBFC if their financial assets exceed 50% of total assets. RBI mandates a minimum Net Owned Fund (NOF) of ₹10 crore (for new NBFCs from April 2023 onward).

• Payment Aggregators and Wallet Providers: Must register with RBI under DPSS Guidelines, maintain escrow accounts, and comply with data localization norms. Examples include Razorpay, Paytm, PhonePe.

• Digital Lending Guidelines (Updated in 2023): Digital lenders must disclose loan terms, partner NBFCs, and ensure borrower consent for credit bureau reporting.

• Liberalized Remittance Scheme (LRS): Founders making payments abroad must comply with TCS under Section 206C(1G) of the Income Tax Act along with RBI’s LRS norms.

Recent RBI Circulars

• In February 2025, RBI directed all payment aggregators to integrate multi-factor authentication and dynamic UPI linking for enhanced customer security.

• RBI has also proposed tighter scrutiny for BNPL (Buy Now Pay Later) companies and their lending arrangements.

SEBI: Fundraising, IPOs, and Investor Protection

The Securities and Exchange Board of India (SEBI) is the capital market regulator in India, governing IPOs, private placements, venture capital, and equity-based instruments like ESOPs and convertible debentures.

SEBI Compliance for Founders Raising Capital

• SEBI (Alternative Investment Funds) Regulations, 2012: Angel investors and VC funds are registered under SEBI as AIFs. Startups receiving AIF investments must comply with reporting requirements and valuation norms.

• SEBI (SBEB & Sweat Equity) Regulations, 2021: Applies to Employee Stock Option Plans (ESOPs), RSUs, and Sweat Equity shares. Companies must file disclosures in line with these regulations, especially before IPO.

• LODR (Listing Obligations and Disclosure Requirements): For listed companies or those planning IPOs, SEBI mandates disclosures on board independence, risk management, shareholding patterns, and related party transactions.

• SEBI (ICDR) Regulations, 2018: Govern the IPO process, pre-issue capital, minimum subscription, and post-listing disclosures.

• SEBI’s Insider Trading Rules: Applicable once founders or team members have access to unpublished price-sensitive information (UPSI).

Recent SEBI Updates

• SEBI has directed all mutual funds, brokers, and listed companies to integrate with DigiLocker by April 1, 2025, to prevent fraud and simplify e-KYC.

• SEBI also launched a Consultation Paper on Regulating Unregistered Finfluencers, which may impact founder-led content marketing in finance.

Why Non-Compliance Can Be Risky for Founders

Compliance failures can lead to:

• Hefty Penalties: MCA penalties start at ₹100/day per form; RBI and FEMA penalties may go into lakhs or crores.

• Disqualification of Directors: Under Section 164, MCA may disqualify directors of defaulting companies for 5 years.

• Compounding & Prosecution: Under FEMA and Companies Act, defaults can be compounded or prosecuted, depending on the severity.

• Reputation Risk: Non-compliance reflects poorly with investors, banks, and stakeholders, often becoming red flags in due diligence.

Conclusion

For founders, regulatory compliance under MCA, FEMA, RBI, and SEBI is not an afterthought, it’s a strategic business priority. Understanding these legal frameworks early helps build trust with investors, avoid penalties, and create a scalable foundation. With digital integrations like PRAVAAH, FIRMS, MCA V3, and DigiLocker, most filings can now be made seamlessly online. Still, legal advice, internal compliance checks, and partnering with professionals remain indispensable for founders aiming for long-term success.

Frequently Asked Questions

Q1. Can a startup be penalized for late MCA filings even without revenue?

Ans. Yes. MCA compliance is mandatory irrespective of revenue or operations. Failure to file can lead to penalties and director disqualification.

Q2. What is the deadline to file FC-GPR after receiving FDI?

Ans. Form FC-GPR must be filed within 30 days of the share allotment date on the RBI’s FIRMS Portal.

Q3. Do we need to file anything with SEBI if we raise money through private equity?

Ans. Not directly. However, the AIF or investor registered with SEBI may have obligations. The startup must maintain valuation and share transfer records.

Q4. Are fintech startups without lending licenses exempt from RBI guidelines?

Ans. No. If you act as a Loan Service Provider, Payment Aggregator, or handle customer money, RBI compliance applies.

Q5. What happens if we miss the FLA return under FEMA?

Ans. Late or non-filing of FLA returns may result in compounding under FEMA. Continued non-compliance affects future FDI/ODI approvals.

Q6. Can we issue ESOPs to advisors or consultants?

Ans. Yes, but only under Sweat Equity provisions. ESOPs under Section 62(1)(b) are meant for employees or directors on payroll.

Q7. What is DigiLocker compliance as per SEBI?

Ans. From April 2025, all listed entities, mutual funds, and depository participants must integrate with DigiLocker for paperless communication and to prevent unclaimed securities.