On 13 July 2026, IFSCA’s Quasi-Judicial Authority for Enforcement (QJAE) passed an ex-parte ad-interim order against We Founder Circle Angel Accelerator LLP (IFSC Branch), a registered FME managing a CAT I Angel Scheme at GIFT IFSC.
Here’s what makes this order worth every fund manager’s attention: the FME was itself the victim of a cyber fraud. No allegation of misappropriation. No suggestion of diversion by insiders. And yet, the regulator directed it to deposit USD 100,000 in an earmarked account and barred it from launching any new scheme.
That is the headline lesson — and it deserves unpacking.
What Happened
In April 2026, the FME pooled USD 100,000 (approx. ₹94 lakh) from 17 investors for a proposed SAFE investment in a US startup, BentoLabs AI, Inc. On 30 April 2026, the amount was remitted through banking channels.
It was then discovered that fraudsters had infiltrated the email communication chain between transaction participants using impersonation email IDs, and circulated manipulated bank account details. The funds landed in an unintended beneficiary account with Bank of America — held in the name of an entity conveniently styled “Sherrygold LLC DBA BentoLabs AI Inc.”
A classic Business Email Compromise (BEC). The FME’s own systems, per its submission, were not compromised.
To its credit, the FME moved quickly on paper:
- Notified remitting and intermediary banks and initiated SWIFT recall (4 May 2026)
- Filed an IC3 complaint in the US, an FTC fraud report (shared with the FBI), and a cybercrime complaint in India (4–5 May 2026)
- Self-reported the incident to IFSCA on 9 May 2026
Where It Went Wrong with the Regulator
The order’s factual narrative is a case study in how not to manage post-incident regulatory engagement:
May–June 2026: IFSCA sought facts, held in-person meetings with the Principal Officer and Financial Controller, and received investor complaints — including a collective complaint on 16 June 2026.
10 June 2026: IFSCA asked for a resolution plan with timelines within one week. No response was furnished.
17 June 2026: The Principal Officer was summoned. IFSCA directed a concrete plan — either allot units or refund the investors — by end of that week. The FME asked for 15 days.
30 June – 10 July 2026: The FME sought “one to two months,” then time till 8 July, then reported that detailed discussions had been completed with only 4 of 17 investors, and asked investors themselves for another 2–3 months.
More than two months after the incident: no units allotted, no refunds made, no definitive plan. That timeline — not the fraud itself — is what triggered the interim order.
The Legal Hook: Regulation 118 and the Code of Conduct
QJAE anchored its prima facie findings in Regulation 118 of the IFSCA (Fund Management) Regulations, 2025 read with Part A of the Third Schedule — the Code of Conduct. The specific clauses invoked are telling:
- Clause (b): The FME is responsible for acts of commission or omission by its employees and service providers
- Clause (c): No contract or termination absolves the FME, its partners or officers of liability to the scheme or investors
- Clause (h): Investors must receive adequate, accurate and timely information about the scheme’s affairs
- Clause (k): High standards of integrity and fairness in all dealings
- Clause (l): High standards of service, due diligence, proper care and independent professional judgment
The finding is blunt: pooled investor money was required to be invested in BentoLabs AI per the term sheet; it went to a third-party account instead; and despite two months of “recovery efforts,” investors had neither units nor refunds. Prima facie, that is a failure of due diligence and of fiduciary obligations — irrespective of who perpetrated the fraud.
The Directions
Exercising powers under Sections 12, 13(1) and 13(4) of the IFSCA Act, 2019 read with Sections 11(1), 11(4) and 11B(1) of the SEBI Act, 1992 (delegated to QJAE under Section 23), the order directs:
- Deposit USD 100,000 in the FME’s GIFT-IFSC bank account within 60 days, separately earmarked, not to be withdrawn without prior IFSCA permission
- The IFSC Banking Unit must ensure no withdrawal without proof of IFSCA approval
- Freeze on new schemes in GIFT-IFSC until the deposit is made
The FME has 21 days to file objections and seek a personal hearing.
Seven Learnings for FMEs at GIFT IFSC
1. Victimhood is not a defence to fiduciary failure. The Code of Conduct doesn’t ask whether you intended the loss. It asks whether you exercised due diligence and protected investor money. A BEC that succeeds because bank account details were accepted over email is, in the regulator’s eyes, a controls failure — yours.
2. Payment verification controls are now a regulatory expectation, not best practice. Every FME making cross-border remittances should mandate out-of-band verification (callback to a pre-verified number) for beneficiary account details, prohibit acceptance of banking changes via email alone, and document the verification trail. This single SOP would have prevented this entire matter.
3. Self-reporting buys goodwill, not immunity. The FME did the right thing by intimating IFSCA within days. But self-reporting is the start of regulatory engagement, not its conclusion. What the regulator measures thereafter is remediation velocity.
4. Missed regulatory deadlines are accelerants. Read the order’s Section B carefully: the inflection point was the FME’s failure to respond to the 10 June email within the stipulated week. From there, every extension request compounded the impression of drift. When a regulator gives you a one-week deadline, silence is the most expensive response available.
5. “Issue units or refund” is the binary the regulator works with. Cross-border recovery complexity, SWIFT recalls, FBI coordination — none of it suspends the investor’s entitlement. If money is stuck, the FME (or its sponsors) may effectively have to make investors whole from its own resources. The deposit direction operationalises exactly that.
6. QJAE’s interim toolkit is fully operational. This order confirms the enforcement architecture: SEBI Act Section 11/11B powers, exercised through Section 13 of the IFSCA Act, delegated to QJAE. Ex-parte interim directions — deposit, earmarking, business restrictions — can arrive pending investigation, on prima facie findings alone. The bar is investor protection, not proof of culpability.
7. Investor communication is a compliance obligation, not a courtesy. Detailed discussions with 4 of 17 investors, two months in, was cited in the order. Clause (h) of the Code of Conduct converts poor investor communication into a standalone violation. A structured, documented, all-investor communication cadence within days of an incident is now the defensible standard.
The Bigger Picture
GIFT IFSC’s fund management ecosystem is scaling fast, and angel schemes — with their small teams, cross-border deal flow and email-driven closings — are structurally exposed to BEC risk. This order tells every FME that cyber fraud sitting outside your infrastructure still lands inside your liability.
The practical mandate is clear: build payment verification SOPs, wire them into your operations manual, test them, and — if an incident occurs — treat regulatory timelines as sacrosanct and investor restitution as the first workstream, not the last.
Because in the regulator’s framework, there is no such thing as an FME that is merely a victim. There is only an FME that either protected investor money — or didn’t.
The order (IFSCA-AIF/98/2026) is an ex-parte ad-interim order based on prima facie findings; the Noticee has 21 days to respond and the investigation remains open.