GCC Compliance in India: Transfer Pricing, DPDP & Entity Setup

Why GCC compliance in India looks scarier than it is

Ask a CTO why they have not built in India yet, and "compliance" sits near the top of the list — a fog of entity law, tax rulings, data regulation, and foreign-exchange controls that feels like a reason to keep burning US payroll. The honest answer: GCC compliance in India is real work, but it is bounded, well-trodden, and almost entirely delegable.

More than 2,100 capability centers run inside the same framework. Nothing here is novel; it is a checklist, and the checklist is the point. The companies that stall are the ones who treat each acronym as a separate research project instead of one packaged workstream. Treated as the latter, the legal layer becomes the boring foundation under the interesting thing — a second home for your engineering, not an offshoring experiment.

Compliance is not the reason to delay a GCC. Done right, it is the boring, automatable part — the genius is in the team you build on top of it.

The five layers, on one page

A GCC in India touches five distinct legal layers. Each has an owner, a timeline, and a 2026 fact worth knowing. Here they are together, before we go deeper on the two that have changed this year.

Entity setup: the foundation

For a team you intend to own and direct over the long term, the answer is almost always a wholly-owned subsidiary structured as a private limited company. It gives you a clean cap table, a local bank account, the ability to sign Indian employment contracts, and a vehicle that can hold intellectual property. Incorporation plus the stack of registrations — PAN, TAN, GST, PF/ESI, Shops & Establishment, IEC where relevant — typically runs six to eight weeks when a specialist drives it.

You do not have to start with your own entity. Many first-timers begin under an employer-of-record or a partner's entity and migrate later, which is exactly the shape of a Build-Operate-Transfer engagement: the partner builds and runs the team on their entity, then transfers the entity and people to you once the model is proven. The compliance work is the same either way — the only question is whose name is on the certificate of incorporation on day one.

Transfer pricing: the 2026 safe harbour that ends the argument

Transfer pricing governs how your India subsidiary bills its US parent for the work it does. Because the two are related parties, Indian tax authorities want assurance the markup is arm's-length — and historically this was the single biggest source of audit anxiety for a captive.

That argument is now largely settled. Effective 1 April 2026, India's expanded safe harbour lets eligible IT and software-development services bill the parent at a 15.5% cost-plus markup. Elect it, document it, and your intercompany pricing is presumptively accepted — no protracted dispute, no defending a transfer-pricing study under examination. For a first-time builder, that converts the scariest line on the tax page into a known, predictable number you can put straight into the model.

DPDP: India's data-protection regime

The Digital Personal Data Protection Act (DPDP) is India's GDPR-style framework for handling personal data. It matters to a GCC because your India team will touch user data, employee data, and customer records — and the penalties are not symbolic: serious breaches can draw fines of up to ₹250 crore.

The compliance runway is real but generous. Final compliance is expected by May 2027, which means a team standing up in 2026 has the luxury of building data handling correctly from the first commit rather than retrofitting it under deadline. Get the basics right early — data-processing agreements, consent and retention practices, access controls, and a clear map of what data crosses which border — and DPDP becomes a one-time setup, not a recurring fire drill.

FEMA and IP assignment: the money and the code

Two layers quietly decide whether a GCC actually works as intended. The first is FEMA — the Foreign Exchange Management Act — which governs how money moves across the border: the capital you inject to fund the entity, and the intercompany payments that flow back as you bill under the safe harbour. It is procedural, not punitive, but it has to be set up correctly so your funding and invoicing do not snag.

The second is IP assignment, and it is the one founders most often underestimate. The entire point of a captive is that the code, models, and inventions your India team produces belong to the parent — cleanly, with no ambiguity. That requires the right language in employment agreements and the entity's own constitutional documents so that IP vests in the company and assigns up to the parent by default. Skip it and you can build a brilliant team whose output you do not unambiguously own. Get it right on day one and it never surfaces again.

Compliance-in-a-box: why a specialist beats DIY

Here is the reframe that turns compliance from a blocker into a feature you can sell internally to your CFO and board: none of these five layers needs to be your problem. A capable GCC partner bundles entity setup, transfer pricing, DPDP, FEMA, and IP assignment into a single managed workstream — "compliance-in-a-box" — executed through specialist Indian counsel while you stay focused on hiring and product.

This is the difference between an EOR seat vendor and a real build partner. The first gives you payroll; the second gives you a compliant, IP-clean, audit-ready entity and the team inside it. It is the backbone of the managed-GCC and BOT models described in how it works, and it is why a vetted pod can be live in weeks rather than the two-to-three quarters a DIY setup tends to consume. The compliance is real — you just are not the one doing it.

Tier-2 cities: a margin and retention lever

One decision sits adjacent to compliance and quietly moves your economics: where you put the team. Bangalore, Hyderabad, and Chennai are the primary hubs and the right call for a first senior site leader, where the deep talent pool matters most. But for scaled teams and specific functions, Tier-2 cities — Coimbatore, Ahmedabad, Jaipur — run roughly 25–30% cheaper and often show lower attrition because there is simply less poaching.

That combination lifts both margin and retention, the two numbers that decide whether a GCC compounds. The trade-off is a shallower bench of senior leaders, so Tier-2 works best once you have an anchor in a primary hub and are extending, not when you are placing your first critical hire. For a full picture of how location feeds the unit economics, see what a GCC in India actually costs — and when you are ready to sequence the build itself, the 90-day build playbook lays out the order of operations.

This is practical orientation, not legal advice — the specifics of your structure should be confirmed with qualified Indian counsel. But the shape is reassuringly consistent across the 2,100-plus centers already operating: a bounded checklist, a known set of numbers, and a partner who runs it so you can build the team that actually matters.