Whistleblower Protection & Vigil Mechanism in India: Requirements for Foreign Companies

Why Foreign Companies Cannot Ignore India's Whistleblower Framework

India's whistleblower protection regime is not a single statute — it is a layered framework spanning three distinct legal instruments, each with different applicability triggers, compliance obligations, and penalty structures. For foreign companies operating through Indian subsidiaries, understanding which laws apply and how they interact is critical to avoiding regulatory penalties that can reach INR 5,00,000 per violation.

The three pillars of India's whistleblower framework are Section 177 of the Companies Act, 2013 (vigil mechanism), the SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015 (for listed entities and their subsidiaries), and the Whistleblowers Protection Act, 2014 (for disclosures against public servants). Each has distinct requirements, and a foreign subsidiary may trigger obligations under one, two, or all three depending on its structure and activities.

This guide maps every requirement, explains which provisions apply to different types of foreign-owned entities, and provides a practical implementation framework. All requirements cited are current for FY 2026-27, incorporating the SEBI LODR amendments effective from April 1, 2025.

Section 177 of the Companies Act 2013: The Vigil Mechanism

Section 177 (Clauses 9 and 10) of the Companies Act, 2013 mandates that specified categories of companies establish a vigil mechanism for directors and employees to report concerns about unethical behaviour, actual or suspected fraud, or violations of the company's code of conduct.

Which Companies Must Comply

The vigil mechanism requirement under Section 177 applies to:

• Every listed company
• Every company that accepts deposits from the public
• Every company that has borrowed money from banks and public financial institutions in excess of INR 50 crore
• Companies with a turnover of INR 200 crore or more (as prescribed under the Companies (Meetings of Board and its Powers) Rules, 2014)

For foreign subsidiaries, the trigger is typically the borrowing threshold. If your Indian subsidiary has taken loans from Indian banks exceeding INR 50 crore in aggregate, the vigil mechanism becomes mandatory — regardless of whether the parent company already has a global whistleblower policy.

Mandatory Components

The vigil mechanism established under Section 177 must include:

1. Reporting channels: Clearly defined mechanisms through which directors and employees can report genuine concerns
2. Protection against victimisation: Adequate safeguards to protect whistleblowers from adverse employment actions, transfers, or termination
3. Direct access to Audit Committee: The mechanism must provide for direct access to the Chairperson of the Audit Committee in appropriate or exceptional cases
4. Confidentiality: The identity of the whistleblower must be kept confidential throughout the investigation process

Audit Committee Oversight

Companies required to constitute an Audit Committee must manage the vigil mechanism through that committee. The Audit Committee must have a minimum of three directors, with at least two-thirds being independent directors. For companies not required to form an Audit Committee, the Board of Directors must designate a director to manage the mechanism.

The Audit Committee must review the functioning of the vigil mechanism at each meeting, including the number of complaints received, investigations initiated, outcomes, and any instances of victimisation reported.

SEBI LODR Requirements for Listed Entities and Subsidiaries

If a foreign company's Indian subsidiary is listed on an Indian stock exchange, or if the foreign parent is listed and has a material Indian subsidiary, additional whistleblower requirements under SEBI's LODR Regulations apply.

Core SEBI Requirements

Regulation 22 of the SEBI LODR Regulations requires every listed entity to:

• Formulate a vigil mechanism/whistleblower policy for directors and employees to report genuine concerns
• Provide adequate safeguards against victimisation of persons who use the mechanism
• Provide direct access to the Chairperson of the Audit Committee in appropriate or exceptional cases
• Disseminate the vigil mechanism and whistleblower policy on a separate section of the company's website

SEBI Informant Mechanism for Insider Trading

SEBI also operates a separate Informant Mechanism under the SEBI (Prohibition of Insider Trading) Regulations, 2015. This mechanism allows any person — not just employees — to submit information about insider trading violations through a Voluntary Information Disclosure Form (VIDF).

Key features of the SEBI Informant Mechanism:

• Informants can submit directly or through legal representatives (identity disclosure only required for direct submissions)
• The Office of Informant Protection (OIP) manages all communications with informants
• Financial rewards may be paid for information leading to enforcement action
• Confidentiality of the informant's identity is protected

2025-2026 SEBI Amendments Impact

The SEBI LODR amendments effective from April 1, 2025, strengthened subsidiary-level governance requirements. Audit Committee jurisdiction over related party transactions at the subsidiary level has been expanded — previously, approval was required only if values exceeded 10% of the listed entity's consolidated or standalone turnover. Listed entities now need group-wide related party transaction registers and centralised monitoring.

Additionally, SEBI's January 2026 LODR amendment restructured the High Value Debt Listed Entity (HVDLE) framework, which affects whistleblower mechanism requirements for entities with listed debt securities.

The Whistleblowers Protection Act, 2014

The Whistleblowers Protection Act, 2014 (originally the Whistle Blowers Protection Act, 2011) provides a mechanism for investigating alleged corruption and misuse of power by public servants. While primarily targeted at government officials, its scope extends to any person making disclosures about corruption in public bodies with which a foreign company may interact.

Key Provisions

• Scope: Covers disclosures about corruption, misuse of public office, unlawful actions, and abuse of authority
• Protection: Whistleblowers are protected against retribution including dismissal, harassment, and threats
• Identity requirement: The Act does not accept anonymous complaints — whistleblowers must identify themselves
• Competent authority: Disclosures are made to designated competent authorities (Central Vigilance Commission for central government entities)

Penalty Structure

Relevance to Foreign Companies

While the WBP Act primarily targets disclosures against public servants, foreign companies interacting with government agencies (customs, tax, regulatory bodies) should be aware that their employees may use this mechanism to report corruption encountered in government dealings. A robust internal vigil mechanism can channel such concerns internally first, reducing the risk of uncontrolled external disclosures.

This is particularly relevant for companies dealing with import/export clearances, environmental permits, land acquisition approvals, and tax assessments — all areas where government interface is frequent and where employees may encounter requests for improper payments. The internal vigil mechanism should explicitly identify government-interface corruption as a reportable concern, with a clear escalation path that includes the parent company's anti-corruption compliance team.

Foreign companies subject to the US Foreign Corrupt Practices Act (FCPA) or the UK Bribery Act face heightened risk if government-interface corruption at their Indian subsidiary is not detected and addressed through internal channels. A functioning vigil mechanism serves as both a compliance tool and a defence in cross-border anti-corruption investigations.

Penalties for Non-Compliance with Vigil Mechanism Requirements

The penalty framework differs across the three statutes:

Companies Act 2013 Penalties

SEBI LODR Penalties

Non-compliance with SEBI LODR whistleblower requirements can attract penalties under Section 15HB of the SEBI Act, 1992 — up to INR 1 crore for each violation. SEBI can also issue directions under Section 11 and 11B, including suspension of trading, delisting proceedings, and restrictions on market access.

WBP Act Penalties

As detailed above — imprisonment up to 3 years for identity disclosure, up to 2 years for false complaints, plus monetary fines.

Structuring the Vigil Mechanism: A Practical Framework for Foreign Subsidiaries

Foreign companies often attempt to simply extend their global whistleblower policy to the Indian subsidiary. This approach fails for three reasons: Indian law requires specific components not present in most global policies, the mechanism must be overseen by the Indian entity's Audit Committee (not a global compliance team), and the policy must be disclosed on the Indian entity's website and in its annual report.

Step 1: Draft the Policy

The vigil mechanism policy must include:

• Clear definition of reportable conduct (fraud, corruption, financial irregularity, violation of code of conduct, FEMA violations, transfer pricing manipulation, regulatory non-compliance)
• Multiple reporting channels (email, phone hotline, physical letter to Audit Committee Chairperson)
• Timeline for acknowledgment (typically 3 business days) and investigation completion (30-60 days)
• Protection guarantees against victimisation, with specific examples of prohibited retaliation
• Process for direct escalation to Audit Committee Chairperson
• Consequences for false or malicious complaints

Step 2: Constitute the Oversight Structure

Appoint an Ethics Committee or Ombudsman to receive and triage complaints. Ensure the Audit Committee has clear authority to oversee investigations, including access to all company records and the power to engage external investigators. The resident director should be designated as the primary point of contact for complaints requiring immediate attention.

Step 3: Implement Reporting Infrastructure

Deploy multiple reporting channels that ensure confidentiality:

• Dedicated email address accessible only to the Ethics Officer and Audit Committee Chairperson
• Third-party whistleblower hotline service (available from providers like EthicsPoint, NAVEX Global, or Indian alternatives like IntelliQ)
• Physical mail option addressed to the Audit Committee Chairperson at the registered office
• Option for submission through legal representative

Step 4: Board Approval and Disclosure

The vigil mechanism policy must be approved by the Board of Directors and disclosed in two mandatory locations:

1. A dedicated section on the company's website
2. The Board of Directors' annual report (Directors' Report)

Step 5: Ongoing Compliance

Conduct annual awareness training for all employees on the vigil mechanism. The Audit Committee must review the mechanism's functioning at each meeting. Maintain records of all complaints received, investigations conducted, and outcomes — these records may be requested during statutory audits or regulatory inspections.

Interaction with Parent Company Policies

Many foreign parent companies already operate robust whistleblower programmes compliant with US SOX, EU Whistleblower Directive, or UK regulations. The Indian vigil mechanism can be integrated with the global programme, provided the Indian-specific requirements are met.

Integration Approach

• Dual reporting: Allow complaints to flow to both the Indian Audit Committee and the global ethics hotline, with the Indian committee retaining oversight for India-specific matters
• Jurisdictional clarity: Define which complaints are handled locally versus globally. Matters involving Indian regulatory compliance (FEMA, GST, Companies Act) should remain under Indian oversight
• Data localisation: Ensure complaint data involving Indian employees complies with India's data protection framework under the Digital Personal Data Protection Act, 2023
• Language access: Provide reporting channels in Hindi and relevant regional languages, not just English

Cross-border investigations involving the Indian subsidiary must comply with FEMA regulations if legal or investigation costs are being paid cross-border, and with transfer pricing documentation requirements if investigation costs are charged as management fees.

Industry-Specific Whistleblower Requirements

Beyond the general framework, certain sectors have additional whistleblower and reporting obligations that affect foreign subsidiaries:

Banking and Financial Services

Foreign banks operating branches or subsidiaries in India must comply with RBI's Protected Disclosure Scheme, which allows employees to report fraud, corruption, or mismanagement directly to the RBI. The scheme provides protection against victimisation and is managed separately from the company's internal vigil mechanism. NBFCs (Non-Banking Financial Companies) registered with the RBI are similarly required to have whistleblower policies aligned with RBI governance guidelines.

Insurance Companies

IRDAI (Insurance Regulatory and Development Authority of India) requires all insurance companies to establish a whistleblower mechanism. Foreign insurance joint ventures — common given the FDI cap in insurance (now 100% with conditions) — must ensure the mechanism covers both the Indian entity and the joint venture partner's employees with access to the Indian operations.

Pharmaceutical and Healthcare

While no sector-specific whistleblower mandate exists, pharmaceutical companies are increasingly adopting enhanced vigil mechanisms covering clinical trial irregularities, data integrity issues, and regulatory submission fraud. The Central Drugs Standard Control Organisation (CDSCO) accepts complaints about pharmaceutical malpractice, and having a robust internal mechanism can prevent such complaints from escalating to regulatory investigations.

IT and Technology Services

For foreign IT companies operating Indian subsidiaries — a significant category given India's position as a global technology services hub — the vigil mechanism should explicitly cover data protection violations under the Digital Personal Data Protection Act, 2023, intellectual property misappropriation, and client confidentiality breaches, all of which are common reportable concerns in the sector.

Documenting and Reporting: Annual Compliance Requirements

The vigil mechanism is not a set-and-forget compliance item. Indian law requires ongoing documentation and reporting:

Board Report Disclosure

The Directors' Report filed with the annual return must include a statement that the company has established a vigil mechanism and that no personnel have been denied access to the Audit Committee. If any complaints were received during the year, the report should provide summary statistics (number received, investigated, resolved) without disclosing the identity of complainants.

Website Disclosure

The whistleblower policy must be published on the company's website in a readily accessible location. For listed entities, SEBI mandates a separate section on the website dedicated to the vigil mechanism. The published policy should include reporting channels, the process for filing complaints, protection guarantees, and the Audit Committee's oversight role.

Audit Committee Minutes

The Audit Committee must maintain detailed minutes of its review of vigil mechanism functioning, including complaints received, investigation status, outcomes, and any recommendations for policy improvements. These minutes are subject to review during statutory audits and may be requested by regulatory authorities.

Record Retention

Complaint records, investigation files, and outcome documentation should be retained for a minimum of 8 years — aligning with the general document retention requirements under the Companies Act. For listed entities, SEBI may require longer retention for complaints involving securities law violations.

Common Mistakes Foreign Companies Make

• Relying solely on global policy: Indian law requires a standalone vigil mechanism overseen by the Indian entity's Audit Committee. A reference to the parent company's hotline does not suffice
• No website disclosure: Forgetting to publish the policy on the Indian entity's website — a specific SEBI LODR requirement for listed entities
• Inadequate Audit Committee structure: The Audit Committee must have at least two-thirds independent directors. Staffing it with parent company nominees who are not independent under Indian law creates a compliance gap
• No vernacular access: Providing only English-language reporting channels in a workforce that operates in Hindi or regional languages
• Treating it as check-the-box: The mechanism must be a living compliance function with regular reviews, training, and documented outcomes — not a policy document filed and forgotten
• No investigation protocol: Having reporting channels without a defined investigation process — including timelines, investigator appointment procedures, evidence preservation requirements, and outcome communication — renders the mechanism incomplete and exposes the company to allegations of bad-faith compliance

Enforcement Trends and Regulatory Scrutiny

Regulatory enforcement of vigil mechanism requirements has intensified significantly since 2024. The Ministry of Corporate Affairs (MCA) has increased scrutiny of compliance during annual return reviews, and companies found lacking a vigil mechanism when required face compounding penalties — the INR 5,00,000 fine applies for each year of non-compliance, not just the initial violation.

SEBI has been particularly active in penalising listed entities for inadequate whistleblower frameworks. In multiple enforcement actions during 2025, SEBI imposed penalties on companies where the vigil mechanism existed on paper but lacked functional reporting channels or where the Audit Committee had not documented any review of the mechanism. The message is clear: a policy document alone is insufficient — regulators expect evidence of active implementation and ongoing oversight.

For foreign subsidiaries, the risk extends beyond Indian penalties. If the Indian entity faces regulatory action for governance failures, the reputational impact flows upward to the parent company. In jurisdictions with SEC reporting requirements or EU governance mandates, a governance failure at an Indian subsidiary may trigger disclosure obligations and investor scrutiny at the parent level.

Additionally, the National Company Law Tribunal (NCLT) has admitted cases where whistleblower victimisation allegations formed part of oppression and mismanagement petitions under Sections 241-242 of the Companies Act. This creates litigation exposure for directors personally — not just the company — if whistleblower protections are inadequate.

Key Takeaways

• Three laws govern whistleblower protection in India — Companies Act 2013 Section 177, SEBI LODR Regulations, and the Whistleblowers Protection Act 2014. Most foreign subsidiaries trigger requirements under at least the first
• The INR 50 crore borrowing threshold is the most common trigger for foreign subsidiaries — if your Indian entity has bank loans exceeding this amount, the vigil mechanism is mandatory
• Penalties reach INR 5,00,000 per violation under the Companies Act, and up to INR 1 crore per violation under SEBI regulations for listed entities
• Global policies cannot substitute for a local vigil mechanism — Indian law requires specific components including Audit Committee oversight, website disclosure, and annual report inclusion
• Implementation takes 4-8 weeks including policy drafting, Board approval, infrastructure setup, and employee training

For assistance establishing compliant governance structures for your Indian subsidiary, explore our annual compliance services and foreign subsidiary registration. For understanding the broader governance framework, see our guide to compliance deadlines foreign companies miss.