1. Facts

A Limited, a public company (hereinafter referred to as ‘the company’) under the Ministry of Shipping, is engaged in dredging operations across major and minor ports and operates a fleet of various dredgers and ancillary crafts. Four dredgers have completed their estimated useful life of twenty-five years, but continue in active use. The Company depreciates its dredgers over twenty-five years with a residual value of two percent.

All dredgers must undergo periodic IRS inspections every three to five years to remain operational. These inspections require significant dry dock expenditure, including overhaul and repair costs, and the Company capitalises such expenditure as major inspection costs in accordance with paragraph 14 of Ind AS 16, derecognising the previous inspection component.

During the audit for 2021-22 to 2023-24, the CAG observed that dry dock expenditure on dredgers whose useful lives had expired was capitalised, which, in its view, was inconsistent with the Company’s accounting policy and an earlier EAC opinion issued under the IGAAP framework. The CAG held that such costs should have been expensed as repairs and maintenance.

The Company submitted that the earlier EAC opinion was under IGAAP and did not consider Ind AS requirements, including component accounting. It referred to industry guidance and a 2023 EAC opinion permitting capitalisation of subsequent expenditure where future economic benefits arise, even if the main asset has completed its useful life. Dry dock expenditure, in the Company’s view, restores operational utility and extends the dredgers’ usable life; accordingly, the useful lives of the concerned dredgers were reviewed and extended up to the next dry dock cycle in line with paragraph 51 of Ind AS 16.

State whether such treatment is appropriate and whether subsequent expenditure can be capitalised even after the expiry of a dredger’s original useful life.

2. Relevant Provisions

Ind AS 16 – Property, Plant and Equipment

Para 7

The cost of an item of property, plant and equipment shall be recognised as an asset if, and only if:

(a) it is probable that future economic benefits associated with the item will flow to the entity; and

(b) the cost of the item can be measured reliably.

Para 13

Parts of some items of property, plant and equipment may require replacement at regular intervals. For example, a furnace may require relining after a specified number of hours of use, or aircraft interiors such as seats and galleys may require replacement several times during the life of the airframe. Items of property, plant and equipment may also be acquired to make a less frequently recurring replacement, such as replacing the interior walls of a building, or to make a non-recurring replacement. Under the recognition principle in paragraph 7, an entity recognises in the carrying amount of an item of property, plant and equipment the cost of replacing part of such an item when that cost is incurred if the recognition criteria are met. The carrying amount of those parts that are replaced is derecognised in accordance with the derecognition provisions of this Standard.

Para 14

A condition of continuing to operate an item of property, plant and equipment (for example, an aircraft) may be performing regular major inspections for faults regardless of whether parts of the item are replaced. When each major inspection is performed, its cost is recognised in the carrying amount of the item of property, plant and equipment as a replacement if the recognition criteria are satisfied. Any remaining carrying amount of the cost of the previous inspection (as distinct from physical parts) is derecognised. This occurs regardless of whether the cost of the previous inspection was identified in the transaction in which the item was acquired or constructed. If necessary, the estimated cost of a future similar inspection may be used as an indication of what the cost of the existing inspection component was when the item was acquired or constructed.

Para 43

Each part of an item of property, plant and equipment with a cost that is significant in relation to the total cost of the item shall be depreciated separately.

Click Here To Read The Full Story

The post Accounting Treatment of Dry Dock Costs After Useful Life Under Ind AS 16 appeared first on Taxmann Blog.

source

PR no. 2025-2026/1589; Dated: 28.11.2025

The Reserve Bank of India (RBI) has issued the final Digital Banking Channels Authorisation Directions, 2025, establishing a comprehensive regulatory framework for digital banking operations in India. These Directions apply to all banks authorised to operate in India, including both commercial banks and cooperative banks.

1. Scope and Applicability

The Directions govern the authorisation, governance, and conduct of digital banking channels offered by banks. They aim to ensure secure, reliable, and customer-centric digital banking services across the sector.

Applicability extends to:

• Scheduled commercial banks
• Small finance banks
• Payments banks (as applicable)
• Urban and state cooperative banks

2. Eligibility Criteria for View-Only Digital Banking

The Directions prescribe specific conditions for banks seeking to offer non-transactional or view-only digital facilities. These include:

• Demonstration of robust internal systems for data display
• Adequate cybersecurity safeguards
• Proper customer authentication mechanisms
• Compliance with IT governance standards prior to launch

These facilities enable customers to access account statements, balances, and other information without initiating transactions.

3. Eligibility Criteria for Transactional Digital Banking

Banks intending to provide full-fledged digital banking services—such as payments, transfers, and other online transactions—must meet enhanced eligibility norms, including:

• Strong operational resilience frameworks
• End-to-end encrypted digital infrastructure
• Tested and audited transaction and reconciliation systems
• Adequate fraud monitoring, alerting, and reporting mechanisms

The aim is to ensure smooth, secure, and reliable digital transactions for customers.

4. Technological Guidelines for Digital Banking

RBI has laid down detailed instructions on technology standards, including:

• IT governance, risk, and compliance frameworks
• Cybersecurity guidelines, including periodic audits and threat monitoring
• Requirements for high system availability and disaster recovery
• Data protection and privacy standards
• Use of secure APIs and third-party integration protocols

These guidelines ensure that digital channels remain resilient and function with minimal disruptions.

5. General Operational Guidelines

The Directions also provide common operational requirements applicable across all digital banking channels, such as:

• Mandatory board and senior management oversight
• Periodic reporting to RBI
• Transparent disclosure requirements
• Internal audit and compliance review obligations
• Policies on outsourcing technology or operational functions

These requirements help maintain consistency and governance across digital banking platforms.

6. Customer Conduct & Additional Instructions

The Directions emphasise customer protection and responsible conduct requirements, covering:

• Clear communication of terms, charges, and limits
• Robust grievance redressal mechanisms
• Standards to ensure fair treatment of customers
• Measures to prevent customer misuse or risky behaviour
• Liability allocation in cases of unauthorised transactions

Banks must ensure customer awareness, provide timely notifications, and maintain transparency across services.

7. Conclusion

The Digital Banking Channels Authorisation Directions, 2025 strengthen India’s digital banking landscape by setting unified standards for authorisation, security, and customer protection. With these Directions, the RBI aims to improve the resilience, reliability, and consumer-centric nature of digital banking across all authorised banks.

Click Here To Read The Full Press Release

The post RBI Releases Final Directions on Digital Banking Channels Authorisation appeared first on Taxmann Blog.

source

PR No.77/2025; Dated: 28.11.2025

The Securities and Exchange Board of India (SEBI) has approved the substitution of the existing SEBI (Informal Guidance) Scheme, 2003 with a new and more comprehensive framework titled the SEBI (Informal Guidance) Scheme, 2025. The updated scheme aims to modernise, expand, and streamline the process of seeking regulatory clarity from SEBI.

1. Broader Scope Under the New Scheme

The 2025 Scheme significantly broadens the categories of entities eligible to approach SEBI for interpretative guidance. Under the revised framework, the following regulated entities may now seek informal guidance:

• Stock Exchanges
• Clearing Corporations
• Depositories
• Other intermediaries and market infrastructure institutions

This expansion ensures that a wider range of market participants can obtain regulatory clarity, thereby enhancing compliance standards and reducing interpretational uncertainties.

2. Modernised Framework for Regulatory Clarifications

The new Scheme seeks to:

• Ensure uniformity and transparency in SEBI’s guidance process
• Address evolving market structures and regulatory needs
• Provide timely and reliable interpretational support
• Replace the outdated 2003 framework with a more relevant and robust mechanism

3. Applicability and Transition

SEBI has clarified that from 01 December 2025 onwards, the processing of all informal guidance applications—whether newly submitted or pending—shall be governed under the SEBI (Informal Guidance) Scheme, 2025.

This ensures a seamless transition and consistent application of the updated regulatory framework.

4. Conclusion

The introduction of the SEBI (Informal Guidance) Scheme, 2025 marks a significant step toward strengthening regulatory clarity and stakeholder engagement. By widening the scope and modernising the process, SEBI aims to facilitate better compliance and foster a more transparent, informed, and efficient securities market ecosystem.

Click Here To Read The Full Press Release

The post SEBI Notifies SEBI (Informal Guidance) Scheme, 2025 | Expands Eligibility for Regulatory Clarifications appeared first on Taxmann Blog.

source

Case Details: Devender Singh vs. Additional Commissioner, Central Goods and Services Tax [2025] 180 taxmann.com 490 (Delhi)

Judiciary and Counsel Details

• Prathiba M. Singh & Madhu Jain, JJ.
• Akhil Krishan Maggu, Vikas Sareen, Ms Oshin Maggu, Aryan Nagpal & Ms Mehak Sharma, Advs. for the Petitioner.
• Ms Anushree Narain, SSC, Naman Choula & Yamit Jetley, Advs. for the Respondent.

Facts of the Case

A show-cause notice was issued to the petitioner alleging that he was involved in creating fake firms to indulge in fraudulent circular trading and had been involved in operating various bank accounts, mobile phones under different names, and also GST Nos., which were generated in the names of these firms. A detailed order-in-original was passed against the petitioner after granting an opportunity to be heard, raising demands. The petitioner contended that he was only a director or a partner of the firms, and hence no penalty could be imposed upon him under section 122 of the CGST Act.

High Court Held

The Delhi High Court held that the allegations against the petitioner were extremely serious. In the case of fake, nonexistent, and fraudulent firms, who do not have any real persons as partners or proprietors or even any incorporation, the ‘taxable person’ would be the person who has got such firms created and used the same for availment of ITC. If the petitioner’s submission was accepted, then in the case of fake firms or non-existent firms, there would be no liability cast upon anybody despite fraudulently cheating the Exchequer of crores of rupees as in the instant case. The petitioner was clearly alleged to be the mastermind of the entire maze of transactions resulting in the fraudulent availment of crores of rupees of ITC. The associates of the petitioner were involved, and their services were utilized by the petitioner and his son for the creation of fake firms. Thus, the director or partner of the firm would be considered a ‘taxable person’ and liable for penalty under section 122(1).

List of Cases Referred to

• Devender Singh v. Additional Commissioner, Central GST, Delhi West Commissionerate [W.P.(C) No. 1958 of 2025, dated 31-1-2025] (para 8)
• Vallabh Textiles v. Additional Commissioner Central Tax GST [2025] 173 taxmann.com 801 (Delhi) (para 23)
• Asstt. Commissioner of State Tax v. Commercial Steel Ltd. [2021] 130 taxmann.com 180/52 GSTL 385/88 GST 799 (SC) (para 25)
• Mukesh Kumar Garg v. Union of India [2025] 174 taxmann.com 638/98 GSTL 419 (Delhi) (para 26)
• Sheetal and Sons v. Union of India [2025] 175 taxmann.com 597 (Delhi) (para 27)
• MHJ Metaltechs (P.) Ltd. v. Central GST Delhi South [2025] 174 taxmann.com 1277/110 GST 288/99 GSTL 446 (Delhi) (para 28)
• Metal Techs v. Central GST Delhi South [2025] 179 taxmann.com 254 (SC) (para 29).

The post Director of Fake Firm Treated as Taxable Person – Liable for Penalty | HC appeared first on Taxmann Blog.

source

Case Details: Shah Paperplast Industries Ltd. vs. Union of India [2025] 180 taxmann.com 582 (Gujarat)

Judiciary and Counsel Details

• Bhargav D. Karia & Pranav Trivedi, JJ.
• Uchit N Sheth for the Petitioner.
• Ms Hetvi H Sancheti for the Respondent.

Facts of the Case

The petitioner was a 100% Export Oriented Undertaking (EOU), engaged in the manufacture and export of Tissue Paper, Wrapping Paper, Disposable Plastic Products, etc. It purchased raw materials from the registered suppliers under the GST Act, which was used to manufacture the finished products for export. Petitioner filed refund application under Section 54 of the GST Act read with Rule 89(4) of the GST Rules. The supplier of the goods to the petitioner did not avail the input tax credit, and the refund was sanctioned by the authorised officer. The order was passed under section 107(2) of the Act, and the refund sanction order was reviewed on the ground that the petitioner is 100% EOU and eligible to file a refund claim under Rule 89(1) or Rule 89(4A) of the GST Rules. Aggrieved by the order, the petitioner filed a writ petition to the Gujarat High Court.

High Court Held

The High Court held that the petitioner had not claimed any refund of the input tax credit on the deemed export supply. The petitioners were exporters of the finished goods, and the refund claim was filed by the petitioners being 100% EOU of zero-rated supply without payment of tax. The petitioners were not deemed exporters but were exporters of the goods, resulting in zero-rated supply as per section 16(1) of the IGST Act. Since the petitioners had exported the goods, they were entitled to a refund of the unutilised input tax credit as per the provisions of section 54(3) of the GST Act read with Rule 89(4) of the GST Rules. The petitioners were not governed by para no. 2.2 of the Circular dated 06.07.2022. When the petitioners were not the deemed export suppliers, Rule 89(4A) would also not be applicable to the petitioners as Rule 89(4A) has been omitted by the Central Goods and Services Tax (Second Amendment) Rules, 2024 with effect from 08.10.2024. Therefore, the reasonings assigned by the appellate authority for the applicability of Rule 89(4A) of the GST Rules were also contrary to the provisions of the GST Act. The petitions were to be allowed, and the respondents were not justified in disallowing the refund claims of the petitioners.

List of Cases Referred to

• Patanjali Foods Ltd. v. Union of India [2025] 172 taxmann.com 133/109 GST 203/97 GSTL 24 (Gujarat) (para 26)
• Triupra Ispat v. Union of India 2021 SCC OnLine Tri 659 (para 26)
• CCE v. Jellalpore Tea Estate 2011 SCC OnLine Gau 18 (para 26)
• CCE, Kanpur v. Flock (India) (P.) Ltd. 2000 taxmann.com 701/[2000] 120 ELT 285 (SC) (para 26)
• Priya Blue Industries Ltd. v. Commissioner of Customs (Preventive) 2004 taxmann.com 347/[2004] 172 ELT 145 (SC) (para 26)
• ITC Ltd. v. CCE (2019) 17 SCC 46 (para 26)
• Commissioner of Central GST and Central Excise v. Krishi Rasayan Exports (P.) Ltd. 2023 SCC Online J&K 333 (para 26)
• Union of India v. VKC Footsteps India (P.) Ltd. [2021] 130 taxmann.com 193/52 GSTL 513 (SC) (para 27)
• Jayam & Company v. Asst. Commissioner (2016) 15 SCC 125 (para 27)
• Eicher Motors Ltd. v. Union of India 1999 taxmann.com 1769/[1999] 106 ELT 3 (SC) (para 27)
• Premier Cotton Textiles v. CCE 2019 (368) E.L.T. 465 (Madras) (para 31)
• Grasim Industries Ltd. v. CCE (2011) 14 SCC 685 (para 32)
• Asian Paints (India) Ltd. v. CCE 2002 taxmann.com 1519 (SC)/2002 142 ELT 522 (SC) (para 33)
• W.P.I.L. Ltd. v. CCE, Meerut 2005 taxmann.com 751/[2005] 181 ELT 359 (SC) (para 44).

The post ITC Refund Allowed to 100% EOU for Zero-Rated Exports | HC appeared first on Taxmann Blog.

source

A.P. (DIR Series) Circular No. 16; Dated: 28.11.2025

The Reserve Bank of India (RBI) has issued updated instructions to align Know Your Customer (KYC) requirements for Authorised Persons (APs) with the newly introduced entity-wise regulatory framework. The changes aim to ensure uniformity, strengthen customer due diligence, and enhance oversight across all categories of APs.

1. Entity-Wise KYC Compliance

RBI has clarified that the applicable KYC requirements for Authorised Persons will now depend on the regulatory category under which they fall:

1.1 APs Regulated by the Department of Regulation (DoR)

APs that are subject to the Department of Regulation must adhere to their respective KYC directions issued by the DoR. These entities must ensure that their customer onboarding and verification processes comply with the updated norms under the applicable regulatory framework.

1.2 APs Not Covered Under DoR Regulation

Authorised Persons not regulated by the DoR are required to comply with the RBI (NBFC–KYC) Directions, 2025. These directions provide the baseline standards for customer identification, verification, and ongoing monitoring.

2. Compliance Requirements for Agents and Franchisees

APs must also ensure that all agents, franchisees, and other associated service providers adhere to the relevant KYC requirements. This responsibility includes:

• Conducting adequate due diligence on agents
• Ensuring adherence to regulatory KYC norms during transactions
• Monitoring compliance on a continuous basis

3. Modification to Related Master Directions

With the issuance of these updated KYC instructions, RBI has explicitly stated that the related Master Directions stand modified to align with the revised framework.

4. Immediate Applicability

The instructions take immediate effect, requiring all Authorised Persons to review their KYC processes and implement the necessary changes without delay.

Click Here To Read The Full Circular

The post RBI Updates KYC Norms for Authorised Persons | Strengthens Entity-Wise Compliance appeared first on Taxmann Blog.

source

Circular No. HO/24/13/12(1)2025-IMD-POD-2/I/157/2025; Dated: 28.11.2025

SEBI has revised the investment classification framework for Real Estate Investment Trusts (REITs) to facilitate wider participation by Mutual Funds (MFs) and Specialised Investment Funds (SIFs).

1. Reclassification of REITs

To enable greater institutional exposure to real estate-backed securities, SEBI has reclassified REITs as equity-related instruments.

• This change ensures that investments in REIT units by MFs and SIFs will now fall under the equity allocation category, improving flexibility for fund managers and supporting broader investor participation.
• The revised classification will assist in better portfolio alignment and may allow higher permissible exposure limits for funds that are otherwise restricted under non-equity allocations.

This reclassification will be effective from January 1, 2026.

2. Classification of InvITs Remains Unchanged

SEBI has clarified that Infrastructure Investment Trusts (InvITs) will continue to be treated as hybrid instruments for the purpose of MF and SIF investments.

• This preserves the existing regulatory treatment for InvITs, which combine features of equity and debt.

3. Effective Date

All regulated entities must apply these updated classifications from January 1, 2026, for compliance with investment norms, exposure limits, and portfolio categorisation.

Click Here To Read The Full Circular

The post SEBI Reclassifies REITs as Equity Instruments for MF and SIF Investments appeared first on Taxmann Blog.

source

Adv. Ashish Parashar – [2025] 180 taxmann.com 798 (Article)

Indian taxpayers are increasingly receiving income-tax notices where the real issue isn’t the credit card itself, but the misuse of cards to farm reward points/cashback – “manufactured spending”, rent gaming, card lending, etc. The Department is now able to see these patterns clearly in AIS/SFT and is treating many such transactions as unexplained income or expenditure.

In the recent write up the author have tried to analyse the nitty gritties on the new emerging issues.

1. Background – Why Credit Card Rewards are Suddenly a Tax Problem

Over the last few years:

• Banks and Fintechs have aggressively pushed high-reward cards, rent-payment apps, tax-payment via cards and wallet loads.
• Users, in turn, started “manufactured spending” – rotating money through cards and payment gateways purely to earn points/cashback, without any real underlying consumption.
• The Income-tax Department has scaled up data analytics and AIS/SFT-based profiling to flag high-value credit card spending inconsistent with reported income.

It is a norm that Banks and card issuers must now report high-value card payments as Specified Financial Transactions (SFT) – typically where annual payments on a card exceed Rs. 10 lakh, especially for non-cash payments, with lower limits for cash components. This data feeds directly into the AIS and the e-Campaign/Compliance Portal, where mismatch cases are pushed to taxpayers with online notices seeking explanation for high-value transactions.

2. The Typical “Misuse for Rewards” Fact Patterns That are Triggering Notices

2.1 Money Rotation/Manufactured Spending Pattern

• Taxpayer uses card to;
• Pay “rent” to a friend/relative via rent-payment apps (without any real tenancy), who then returns the money by bank transfer.
• Load wallets, pay to own/related entities, or route money via payment gateways.
• Net result – same money keeps circulating between bank and card, but:

1. 1. Card issuer treats it as spend and gives rewards.
   2. AIS/SFT shows huge card spends without corresponding income or lifestyle explanation.

Many rent-payment platforms historically did not insist on rent agreements, enabling “rent” to be paid to friends/family and refunded, effectively just to earn rewards.

How the Department reacts

Where such rotation is disproportionate to income or has no genuine underlying expense, officers are increasingly treating it as:

• Unexplained expenditure u/s 69C – where the source of funds used to pay card bills is not satisfactorily explained, or
• Unexplained money/investments u/ss 69/69A, depending on structure.

A widely-discussed recent example is issuance of a demand notice of about Rs. 1.12 crore u/s 156 issued to a Chennai-based taxpayer whose credit card usage of around Rs. 68.97 lakh via rotation and lending cards to friends was treated as unexplained expenditure u/s 69C because no returns were filed from AY 2021 onwards.

While this is anecdotal, it’s a good indicator of the Department’s current approach.

2.2 Lending Your Card to Friends/Family for Their Spends Pattern

• Cardholder allows friends/family to use their card (sometimes in exchange for sharing benefits).
• The cardholder receives reimbursements in cash/UPI/bank transfer, but:

1. 1. There is no proper trail, or
   2. The volume of spends is huge relative to the cardholder’s declared income.

In an Ahmedabad ITAT case, the Tribunal held that misuse of the assessee’s credit card by a friend could not automatically be treated as the assessee’s personal expenditure, emphasizing the need to examine who actually incurred the expense.

However, at the assessment stage, officers often either treat full card spend as assessee’s own expenditure, or Treat reimbursed amounts as unexplained credits, if the source of friends’ funds is unclear.

If the officer believes the cardholder is acting as a conduit or providing accommodation entries, the matter can escalate to an unexplained income addition u/ss 68/69/69C.

2.3 Aggressive Rent/HRA Gaming Plus Rewards Pattern

• Salaried individuals claim HRA exemption by showing rent paid, sometimes to parents or relatives.
• Simultaneously, they route “rent” via credit card rent-payment platforms to earn rewards.
• In some cases either there is no genuine landlord-tenant relationship or the landlord does not report corresponding rental income.

In this scenario, the Department can act in two ways:

1. Disallow HRA exemption where rent is not proved as actually incurred.
2. Treat part of the “rent” pattern as money rotation for rewards if amounts are reversed or refunded without economic substance (again invoking s.69C etc.).

Rent-payment for pure manufactured spending (no genuine rent) has already been highlighted by as problematic earlier by the Department – it’s essentially credit rotation just to extract reward points.

2.4 Paying Other People’s Business Expenses for Rewards Directors/Consultants Often

• Use their personal cards to pay vendors, travel and other business expenses of a company, then
• Seek reimbursement from the company, while keeping reward points.

From a pure income-tax perspective:

• Legitimate business expenses reimbursed against proper bills are not income in the hands of the cardholder.
• However, if reward points/cashback are substantial, particularly in a business context, they can be argued to be:

1. 1. Business income (s.28(iv)) if they arise from business-linked card usage, or
   2. A taxable perquisite where the company effectively allows personal enrichment.

It may be highlighted here that the reward points exceeding Rs. 50,000 p.a. (or where materially monetised) should be reported as income or at least disclosed, especially where derived from third-party spends.

2.5 High Spend Pattern Disproportionate to Declared Income

Even without overt “gaming”, the following profile is a classic trigger:

• ITR reflects income of say, Rs. 5–6 lakh p.a.
• Credit card spends of Rs. 10–15 lakh+ p.a. across travel, luxury, online shopping.

The Department uses data analytics to identify such lifestyle–income mismatches and issues:

• e-Campaign communications asking for explanation of high-value transactions, or
• Notices u/s 142(1)/148A where under-reporting is suspected.

Click Here To Read The Full Article

The post [Opinion] Reward Points | Real Risk – The Income Tax Crackdown on Credit Card Misuse in India appeared first on Taxmann Blog.

source

Circular no. eF.No. 103/IFSCA/Ins/CIRC/1/2021; Dated: 27.11.2025

The International Financial Services Centres Authority (IFSCA) has released a clarification regarding the issuance of invoices by IFSC Insurance Offices (IIOs) engaged in reinsurance transactions. The move aims to remove ambiguity surrounding permissible invoicing practices and ensure compliance with currency regulations applicable in IFSCs.

1. Issuance of Invoice in Contract Currency

IFSCA has clarified that an IIO transacting reinsurance business may issue invoices to the following entities:

• Indian insurers
• Foreign insurers
• Reinsurers

Such invoices may be raised in the currency of the underlying reinsurance contract, which may include:

• Any foreign currency
• Indian Rupees (INR)

This flexibility ensures that invoice issuance aligns with international reinsurance contracting practices.

2. Mandatory Realisation in Specified Foreign Currencies

While invoices may be raised in INR or foreign currency, IFSCA has mandated that the realisation of the invoice amount must take place only in the specified foreign currencies permitted for IFSC transactions.

Key requirement:

• The payment must be credited to the IIO’s bank account maintained with any International Banking Unit (IBU).
• Such credit must be received in the designated foreign currencies as prescribed under IFSC guidelines.

This ensures that foreign exchange management standards applicable to IFSC entities remain consistent, even when invoicing occurs in INR.

3. Objective and Impact of the Clarification

• Aligns invoicing practices with international reinsurance market norms
• Provides operational flexibility to IIOs
• Ensures compliance with IFSC currency realisation requirements
• Reduces ambiguity for Indian and foreign insurers engaged with IIOs
• Strengthens ease of doing business within IFSC

4. Conclusion

IFSCA’s clarification brings greater clarity and uniformity to the invoicing and settlement practices of IFSC Insurance Offices. By allowing invoices in contract currency—including INR—while mandating foreign currency realisation, the Authority balances operational flexibility with regulatory prudence.

Click Here To Read The Full Circular

The post IFSCA Allows IIOs to Raise Reinsurance Invoices in Contract Currency Including INR appeared first on Taxmann Blog.

source

 

The DPDP Act and Rules 2025 establish India's modern framework for protecting digital personal data, introducing a structured compliance regime for all Data Fiduciaries. The DPDP Act is India's primary data protection law that defines how organisations must collect, use, store, and protect personal data, and grants individuals specific rights over their information. The DPDP Rules, 2025 are the detailed regulations issued under the Act that explain the practical compliance requirements—such as consent management, breach reporting, notices, retention, and obligations for Significant Data Fiduciaries—ensuring the Act is implemented effectively. Together, the Act and Rules signal a decisive shift toward accountable, transparent, and rights-based data handling in India's digital ecosystem.

Table of Contents

1. Introduction – Navigating India’s Data Protection Compliance Roadmap
2. The Legal and Institutional Foundation – Commencement and the DPBI Setup
3. Establishment and Functioning of the Data Protection Board of India (DPBI)
4. Core Data Fiduciary Obligations (Effective May 2027)
5. Elevated Regime – Significant Data Fiduciaries (SDF) and Algorithmic Governance
6. Special Protections – Processing Data of Children and Persons with Disability (PwD)
7. The Intermediary Ecosystem – Consent Managers and Data Processors
8. Enforcement Architecture and the Monetary Penalty Regime
9. Strategic Recommendations and Call to Action for Stakeholders

1. Introduction – Navigating India’s Data Protection Compliance Roadmap

The Digital Personal Data Protection Rules, 2025 (DPDP Rules), published on November 13, 2025[1], together with the phased launch of the Digital Personal Data Protection Act, 2023 (DPDP Act)[2], bring essential clarity to India’s regulatory environment. This formal activation establishes a mandatory compliance roadmap for Data Fiduciaries and officially launches India’s new privacy framework.

The framework adopts a structured, three-stage implementation approach – immediate setup (institutional), a one-year phase (activating the Consent Manager ecosystem), and an eighteen-month phase (activating core operational compliance). This phased schedule grants organisations a necessary, though tight, timeline to implement fundamental changes across their technology, legal, and governance models.

The immediate priority is institutional setup. The Data Protection Board of India (DPBI) is formally established[3], and its governing rules (Rules 1, 2, 17-21) are effective immediately. This means the regulator is now operational. Organisations must urgently prioritise the technical infrastructure needed for verifiable consent, prompt breach notification (72 hours), and automated data erasure processes to meet the May 2027 deadlines. Strategic planning must align resources and roadmaps with this strict compliance timeline.

2. The Legal and Institutional Foundation – Commencement and the DPBI Setup

The Central Government has adopted a deliberate, staggered approach to commencing the DPDP Act and the DPDP Rules, 2025, ensuring the enforcement structure is ready before the core compliance obligations are activated.

2.1 Certain Provisions that Commenced Immediately (November 13, 2025)

The provisions that commenced immediately focus on establishing the institutional machinery and laying down the foundational legal definitions. The Key sections now in force include Section 1(2), Section 2 (Definitions), the entire Chapter V (Sections 18–26) establishing the DPBI, Sections 35 (Protection of good faith action), Sections 38–43 (Miscellaneous provisions including rule-making power), and sub-sections (1) and (3) of Section 44 (Amendments to certain Acts). Correspondingly, the DPDP Rules governing the Board’s initial functions (Rules 1, 2, and 17 to 21) are effective immediately upon publication.

2.2 Provisions that Would Commence One Year from the Date of Notification (November 2026)

This intermediate phase is focused entirely on establishing the Consent Manager ecosystem. The provisions coming into force one year from Notification include Section 6(9) of the Act (mandating Consent Manager registration) and Section 27(1)(d) (DPBI power to inquire into breaches of registration conditions). Correspondingly, Rule 4 of the DPDP Rules, detailing the registration and obligations of a Consent Manager, also commences after one year. This grants the Consent Manager the necessary time to meet stringent standards and register before core consent rules are activated.

2.3 Provisions that Would Commence After Eighteen Months from the Date of Notification (May 2027)

The final phase, commencing eighteen months after Notification, activates the majority of operational compliance obligations on all Data Fiduciaries. The provisions coming into force include Sections 3–5 (Application, Processing Grounds, Notice), Section 6(1)–6(8) and 6(10) (Core Consent rules), Sections 7–17 (Certain Legitimate Uses, General Obligations, Children’s Data, SDF duties, Data Principal Rights), Sections 27 (except 27(1)(d)), 28–34, 36–37 (DPBI Powers, Penalties, Enforcement), and Section 44(2) (Amendments to the IT Act, 2000). The bulk of the DPDP Rules—including Rules 3, 5 to 16, 22, and 23—are aligned with this timeline. This May 2027 date is the hard deadline for Data Fiduciaries to integrate new consent flows, security standards, and erasure mechanisms.

2.4 Commencement Timeline – DPDP Act and DPDP Rules, 2025

Commencement Date	Sections	Chapter & Section Headings	DPDP Rules	Strategic Implication (Cause-Effect)
13-Nov-25	Sections 1(2), 2, 18–26, 35, 38–43, 44(1)&(3)	Chapter I – Preliminary – 1(2) (Short title & commencement); 2 (Definitions) Chapter V – Data Protection Board of India – Sections 18–26 (Establishment & composition of Board) Chapter IX – Miscellaneous – Sections 35 (Appeals), 38–43 (Miscellaneous) Section 44(1) & (3) – “Power to make rules” & “Savings/Repeals” (within Chapter IX)	Rules 1, 2, 17–21	The regulatory architecture is formally live — the Board and core framework are legally activated. Focus shifts to operationalising staff, systems and compliance readiness.
One Year (Nov 2026)	Sections 6(9), 27(1)(d)	Chapter II – Obligations of Data Fiduciary – Section 6 (Consent) (DPDPA) Chapter VI – Powers, Functions and Procedure to be Followed by Board – Section 27 (Powers & functions of Board) Section 27(1)(d) – “Powers and functions of Board” Section 6(9) –  “Consent”	Rule 4	A year’s window for the Consent Manager ecosystem and fiduciaries to get in place-register, and meet technical/financial standards—before full consent-regime enforcement.
Eighteen Months (May 2027)	Sections 3–5, 6(1)-(8), 6(10), 7-17, 27 (except 27(1)(d)), 28-34, 36-37, 44(2)	Chapter I – Preliminary – Sections 3–5 (“Application of the Act”; “Interpretation”; “Scope”) Chapter II – Obligations of Data Fiduciary – Section 6 (Consent) and Sections 7-10 (Certain legitimate uses; General obligations; etc) Chapter III – Rights and Duties of Data Principal – Sections 11–15 (Access, Correction, Erasure, Grievance, Nomination) Chapter IV – Special Provisions – Sections 16–17 (Processing outside India; Exemptions) Chapter VI – Powers, Functions and Procedure of Board – Sections 28–34 (Procedure of Board) Chapter VIII – Penalties and Adjudication – Sections 33-34) and Sections 36-37 – “Penalties and adjudication” (Chapter IX – Section 44(2) – “Power of Central Government to issue notifications“)	Rules 3, 5–16, 22, 23	This is the full implementation phase – all data fiduciaries must embed consent-flows, rights-mechanisms, security/erasure standards and register with the Board as per the regime.

3. Establishment and Functioning of the Data Protection Board of India (DPBI)

The DPBI, the central enforcement body, is formally established as a body corporate, headquartered in the National Capital Region of India[4]. The Board will consist of four members.[5]

3.1 The Digital Office Mandate and Techno-Legal Measures

A core feature of the DPBI is the mandate to function as a “digital office”. It must adopt “techno-legal measures” (Rules 20 and 22) to ensure all proceedings—from complaint receipt to final decisions—are conducted primarily through online or digital modes. Rule 20 confirms that the Board shall function as a digital office, allowing it to conduct proceedings without requiring the physical presence of any individual.

This design significantly impacts Data Fiduciaries, as the regulator’s adjudication process is engineered for digital interaction; organisations must ensure their internal logs, audit trails, and systems are digitised and ready for seamless digital inquiry processing. This effectively raises the standard for required digital governance maturity across all regulated entities.

3.2 Governance, Procedure, and Inquiry Timelines

The DPDP Rules detail the governance structure, including the appointment of the Chairperson and Members via prescribed committees (Rules 17, 18). Meetings require a quorum of one-third of the membership, with decisions made by majority vote.

Crucially, Rule 19(9) sets a maximum inquiry period. All inquiries must be completed within six months from the date of receipt of the intimation or complaint, unless an extension (not exceeding three months at a time) is recorded in writing. This mandatory timeline demands that Data Fiduciaries develop the capacity for rapid and efficient response to regulatory requests.

4. Core Data Fiduciary Obligations (Effective May 2027)

4.1 Standard of Consent and Notice Requirements

The DPDP Act requires a high standard for valid consent (Section 6), which must be

“free, specific, informed, unconditional and unambiguous with a clear affirmative action”.

Rule 3 specifies the required format for the accompanying notice – it must be presented clearly and be understandable independently of any other information provided. The notice must include – an itemised description of the personal data sought, the specified purpose(s) of processing, and a specific description of the goods or services provided.

Additionally, the notice must outline the means by which the Data Principal can exercise their rights, including the right to withdraw consent. Rule 3(c)(i) explicitly mandates that the ease of withdrawing consent must be comparable to the ease with which consent was initially given. This anti-dark pattern provision imposes a clear technical requirement – if consent is one-click, withdrawal must be similarly straightforward, backed by audit trails to demonstrate compliance parity.

4.2 Security Safeguards and Incident Response

Data security is a non-delegable duty. Section 8(5) requires Data Fiduciaries to take reasonable security safeguards to prevent a personal data breach. Failure to meet this standard risks the highest maximum penalty of ₹250 Crore.

4.2.1 Minimum Security Standards and Log Retention

Rule 6 defines “reasonable security safeguards,” detailing mandatory minimum measures:

1. Data Security – Securing personal data via encryption, obfuscation, masking, or virtual tokens.
2. Access Control – Measures to control access to computer resources.
3. Visibility – Maintaining appropriate logs, monitoring, and review to detect unauthorised access.
4. Resilience – Implementing reasonable data-backups and other measures for continued processing if data integrity is compromised.
5. Contractual Requirements – DF-Data Processor contracts must include security safeguard provisions.

A key operational mandate is the explicit requirement to retain logs and personal data for a minimum period of one year. This retention is mandatory for detecting, investigating, and remediating unauthorised access, making log management a critical legal compliance task.

4.2.2 Intimation of Personal Data Breach

Rule 7 establishes a strict, dual-stream obligation for breach notification:

1. Intimation to Data Principal – The Data Fiduciary must intimate each affected Data Principal “without delay,” through her user account or registered mode of communication. The notice must be concise and clear, detailing the nature of the breach, likely consequences, the Fiduciary’s mitigation measures, and safety measures the Data Principal should take.
2. Intimation to the Board – The Fiduciary must immediately inform the Board (“without delay”) of the breach description and likely impact. Within seventy-two hours of becoming aware of the breach, a detailed update must be submitted to the Board, covering facts, mitigation steps, findings, remedial measures, and a report on intimations sent to Data Principals.

The 72-hour reporting timeline requires organisations to have a high level of Incident Response Maturity, capable of rapid forensic analysis and formal regulatory reporting within three calendar days.

4.3 Data Retention and Erasure Protocols

The Act provides a clear principle – a Data Fiduciary must erase personal data once consent is withdrawn or as soon as it is reasonable to assume the specified purpose is no longer being served, unless legal retention is required.

Rule 8 defines when a purpose is “deemed to be no longer served” for large-scale e-commerce, online gaming, and social media entities (those with specified user counts). For these Fiduciaries, if the Data Principal has not engaged with the Fiduciary or exercised her rights, the data must be erased after the corresponding period in the Third Schedule, typically three years.

This mandates active, automated Data Lifecycle Management (DLM) systems capable of tracking user inactivity against the three-year period, triggering erasure, and managing notifications. Rule 8 also requires the Data Fiduciary to inform the Data Principal at least forty-eight hours before erasure, providing a final window for contact.

The necessity to comply with two concurrent retention periods—the conditional erasure (Rule 8(1), Schedule III) and the mandatory minimum retention of associated traffic data and logs for one year (Rule 8(3))—requires precise data tagging and robust automated governance layers.

5. Elevated Regime – Significant Data Fiduciaries (SDF) and Algorithmic Governance

5.1 Additional Obligations of SDFs (Rule 13)

The Central Government may notify any Data Fiduciary as a Significant Data Fiduciary (SDF) based on factors like the volume and sensitivity of data, risk to Data Principal rights, and impact on sovereignty (Section 10). SDFs face a substantially elevated compliance burden (Rule 13).

The core obligations include:

1. Mandatory Annual Assessments – Conducting a Data Protection Impact Assessment (DPIA) and an audit every twelve months.
2. Reporting – Submitting a report of significant observations from the DPIA and audit to the Board.
3. Dedicated Personnel – Appointing a Data Protection Officer (DPO) based in India and responsible to the Board of Directors, and appointing an Independent Data Auditor.

5.2 Algorithmic Due Diligence

Rule 13 introduces a clear mandate for algorithmic governance – SDFs must verify that technical measures, including algorithmic software used for hosting, display, or sharing of personal data, are not likely to pose a risk to the rights of Data Principals.

This requires organisations to incorporate Algorithmic Risk Assessment into their annual compliance and auditing cycle, extending governance to the integrity and fairness of proprietary Machine Learning and Artificial Intelligence (AI) systems.

5.3 Cross-Border Data Transfer Restrictions (Rule 13(4) and Rule 15)

The DPDP Act establishes a nuanced framework for cross-border data transfer. Rule 15 provides the general rule – personal data may be transferred outside India, subject to restrictions the Central Government may specify by order. This establishes a permissible transfer regime unless specifically restricted.

However, the framework imposes stricter rules on SDFs. Rule 13(4) mandates that SDFs must undertake measures to ensure that personal data specified by the Central Government is processed subject to the restriction that the personal data and the associated traffic data are not transferred outside the territory of India.

This measure grants the Central Government the power to mandate data localisation for specific, high-risk data categories handled by the largest platforms. Compliance teams must actively monitor subsequent notifications defining these restricted data categories.

6. Special Protections – Processing Data of Children and Persons with Disability (PwD)

The Act imposes elevated duties when processing the personal data of children (under 18) and Persons with Disability (PwD).

6.1 Verifiable Parental Consent for Children (Rule 10)

Section 9(1) mandates obtaining the verifiable consent of the parent before processing any personal data of a child. Rule 10 details the required technical and organisational measures.

Data Fiduciaries must verify that the individual identifying as the parent is an identifiable adult. Verification can reference:

1. Reliable identity and age details already held by the Fiduciary.
2. Identity and age details provided voluntarily, potentially via a virtual token mapped to such details, issued by an authorised entity.

The Rules explicitly authorise the use of identity and age details made available and verified by a Digital Locker Service Provider. This formalises the use of India’s digital public infrastructure for verification, requiring companies serving child Data Principals to prioritise API integration with these services.

6.2 Exemptions from Child Data Rules (Rule 12, Schedule IV)

The strict mandates of verifiable consent (Sec 9(1)) and the prohibition on tracking, behavioural monitoring, and targeted advertising (Sec 9(3)) have specific exemptions.

Exempt classes (Schedule IV Part A) include:

1. Healthcare establishments are restricted to processing necessary information for providing health services to the child.
2. Educational institutions are restricted to tracking and monitoring necessary for educational activities or the safety of enrolled children.
3. Transport providers engaged by schools or crèches are restricted to location tracking for safety.

Exempt purposes (Schedule IV Part B) include:

1. Processing necessary for government provision of subsidy, benefit, or service (under Sec 7(b)) in the interest of the child.
2. Real-time location tracking for a child’s safety, protection, or security.
3. Processing is strictly necessary for the Data Fiduciary to confirm that the Data Principal is not a child.

6.3 Due Diligence for Persons with Disability (Rule 11)

For Data Principals who are PwD and require a lawful guardian, Rule 11 mandates specialised due diligence. The Data Fiduciary must verify that the guardian was appointed by a court of law, a designated authority, or a local-level committee, according to applicable guardianship law. This ensures legitimate legal capacity to consent on behalf of vulnerable Data Principals.

7. The Intermediary Ecosystem – Consent Managers and Data Processors

7.1 The Highly Regulated Consent Manager Regime (Rule 4, Schedule I)

The Consent Manager (CM) acts as a critical intermediary, enabling the Data Principal to give, manage, review, and withdraw consent through an interoperable platform.

The registration conditions (First Schedule, Part A) are rigorous, ensuring high standards for entrants. Key conditions include:

1. Must be a company incorporated in India.
2. Must demonstrate sufficient capacity (technical, operational, and financial).
3. Must have a minimum net worth of not less than two crore rupees (₹2 Crore).
4. Requires independent certification that the CM’s interoperable platform aligns with data protection standards published by the Board.

CMs have significant obligations (First Schedule, Part B), including acting in a fiduciary capacity towards the Data Principal and strictly avoiding conflicts of interest with Data Fiduciaries. Further, CMs must also maintain records of all consent activities for a minimum period of seven years.

7.2 Data Fiduciary-Processor Relationship

The DPDP Act clearly states that the Data Fiduciary remains primarily and ultimately responsible for compliance (Section 8(1)), regardless of any processing carried out by a Data Processor. This non-delegable accountability necessitates a strong contractual relationship.

Rule 6(f) mandates that the Data Fiduciary – Data Principal (DF-DP) contract must include appropriate provisions ensuring that the Data Processor implements reasonable security safeguards. This structure compels Data Fiduciaries to conduct intensive due diligence and ongoing monitoring of their vendor ecosystem.

8. Enforcement Architecture and the Monetary Penalty Regime

8.1 Powers and Procedure of the Board

The DPBI is empowered to handle complaints, investigate violations, and impose penalties. It can direct urgent remedial or mitigation measures immediately in cases of data breach. For inquiries, the Board is vested with the powers of a civil court, including the ability to summon attendance, examine witnesses, and inspect data and documents.

Section 32 allows the Board to accept a Voluntary Undertaking (VU) from a person at any stage of a proceeding. Acceptance of the VU bars further proceedings regarding the subject matter, but breach of the undertaking is deemed a breach of the Act itself, leading to penalties.

8.2 The Severe Penalty Schedule (Section 33, Schedule)

Section 33 authorises the Board to impose monetary penalties specified in the Schedule if a breach is determined to be significant. Penalty determination considers factors such as the nature, gravity, and duration of the breach, the type of data affected, repetitive nature, any gain realised, and the effectiveness of mitigation actions.

The scale of maximum fines emphasises data security and protection of children as regulatory priorities.

8.3 DPDP Act Schedule – Major Penalties Overview

Sl. No.	Breach of Provision	DPDP Act Section	Maximum Monetary Penalty
1.	Failure to take reasonable security safeguards	Sec. 8(5)	May extend to two hundred and fifty crore rupees (₹250 Crore)
2.	Failure to notify the Board/Data Principal of a data breach	Sec. 8(6)	May extend to two hundred crore rupees (₹200 Crore)
3.	Breach in observance of obligations related to Children	Sec. 9	May extend to two hundred crore rupees (₹200 Crore)
4.	Breach of additional obligations by SDFs	Sec. 10	May extend to one hundred and fifty crore rupees (₹150 Crore)

The ₹250 Crore maximum penalty for security failures (Section 8(5)) highlights the severe view taken on inadequate technical protection, necessitating that security funding be prioritised as a core risk reduction mandate.

9. Strategic Recommendations and Call to Action for Stakeholders

The DPDP Rules, 2025, provide the specific operational details necessary for compliance. The eighteen-month runway for core obligations (May 2027) requires immediate and comprehensive action across all organisational domains.

9.1 Compliance Road Mapping and Governance

1. Phase-Gated Compliance – Segment compliance into structured projects – Phase 1 (0-12 months) must focus on Consent Manager Strategy and breach protocol readiness (Rule 4, Rule 7). Phase 2 (12-18 months) requires the full deployment of compliant consent mechanisms (Rule 3) and automated erasure systems (Rule 8).
2. Data Inventory and Mapping – Conduct a comprehensive exercise to classify data streams, define all “specified purposes,” and ensure current data retention policies align with the statutory deadlines and the mandatory minimum log retention periods.
3. SDF Status Preparation – Organisations nearing high volume/sensitivity thresholds should proactively prepare for potential SDF designation by establishing dedicated DPO roles (India-based, reporting to the Board of Directors) and onboarding independent data auditors.
4. Vendor Contract Review – All contracts with Data Processors must be urgently updated to incorporate the mandatory security safeguard provisions required by Rule 6(f) and to confirm the Data Fiduciary’s non-delegable accountability (Sec 8(1)).

9.2 Technical and Operational Implementation

• Security Uplift and Log Management – Immediately review and enhance security measures (Rule 6), focusing on mandatory data encryption, masking, and robust access control. Highest priority must be given to complying with the one-year log retention mandate (Rule 6(e), Rule 8(3)), requiring substantial, secure logging infrastructure investment.
• Incident Response Maturity – Given the mandatory 72-hour reporting timeline to the DPBI (Rule 7), Incident Response Plans must be fully mature, enabling rapid forensic investigation, impact assessment, and formal statutory reporting within the compressed timeframe.
• Verifiable Consent Infrastructure – For platforms processing child or vulnerable Data Principal data, immediately initiate integration with authorised identity verification systems (such as the Digital Locker Service Provider) to meet the Rule 10 verifiable consent standard by May 2027.

9.3 Algorithmic and Lifecycle Management

1. Algorithmic Governance – Significant Data Fiduciaries must embed the Rule 13(3) requirements into their product development lifecycle. This involves systematically subjecting decision-making algorithms (AI/ML) to specific privacy and rights impact assessments to institutionalise Algorithmic Due Diligence.
2. DLM Automation – Implement sophisticated, automated Data Lifecycle Management systems capable of tracking user inactivity, managing complex retention periods, and executing the mandatory 48-hour pre-erasure notification protocol (Rule 8).

The DPDP Rules, 2025, transform India’s data protection framework, demanding foundational changes in governance, technical operations, and risk management. The eighteen-month commencement period is a tight schedule for these technical and resource-intensive compliance projects. Organisations must act decisively to mitigate the severe financial and legal risks associated with non-compliance.

---

[1] Notification No GSR 846(E), Dated 13-11-2025

[2] Notification No. G.S.R. 843(E), Dated 13-11-2025

[3] Notification No. G.S.R. 844(E), Dated 13-11-2025

[4] Notification No. G.S.R. 844(E), Dated 13-11-2025

[5] Notification No. G.S.R. 845(E), Dated 13-11-2025

The post [Analysis] India’s DPDP Act and Rules 2025 – Timeline | Obligations | Enforcement appeared first on Taxmann Blog.

source