BT Explainer: Why visa service provider VFS Global is in the spotlight
Internal monitoring reports obtained by non-profit investigative newsroom Lighthouse Reports have raised serious questions about VFS Global’s operations in India
- May 29, 2026,
- Updated May 29, 2026 2:50 PM IST
It all started as an idea back in 2001, when an idea would go on to change how millions of people applied for visas globally. Zubin Karkaria conceptualised and founded VFS Global as an outsourced visa services company, building it into a global leader within four to five years of its launch.
Today, VFS Global is one of the most important names in cross-border mobility. The company works with governments around the world, handling front-end administrative tasks for visa, passport and consular services. It is headquartered in Zurich and Dubai, majority owned by Blackstone, and counts Kuoni, Hugentobler Foundation, Temasek and Dubai Holdings among its minority shareholders.
The company’s scale is massive. VFS Global says it serves 71 governments, operates 4,105 application centres across 168 countries, and has processed more than 542.42 million transactions since 2001. It has also handled over 231.62 million biometric enrolments since 2007.
But the same scale that made VFS Global a central player in global mobility has now put it under intense scrutiny.
Why is VFS Global in the spotlight?
Internal monitoring reports obtained by non-profit investigative newsroom Lighthouse Reports have raised serious questions about VFS Global’s operations in India. The reports, based on assessments across multiple EU nations, flagged alleged irregularities, data vulnerabilities and processing failures at visa application centres.
According to the documents, a 20-member EU delegation recently visited India to discuss these concerns with VFS management. The visit followed field assessments and questionnaires filled out by 11 member states.
The internal EU documents cited several issues, including “laxity in following instructions, documents not arranged in proper sequence, scanning-related issues, and IT infrastructure and bandwidth problems.” The reports also said that New Delhi was identified by a majority of member states as the visa application centre with the highest concentration of processing errors.
The documents were obtained through more than 40 Freedom of Information requests filed with the European Commission, the United Kingdom and individual EU member states. The investigation involved media partners across 11 countries, including The Indian Express in India, Der Spiegel in Germany and Le Monde in France.
How did VFS Global violate the Schengen Visa code?
One of the most serious parts of the investigation relates to applicant data.
The reports said inspectors found that personal and biometric data of applicants were often stored on unencrypted discs during transport and handling. A 2025 report from the Hungarian consulate also found that applicant data older than one month remained accessible within the VFS system in New Delhi.
This, according to the report, violated the Schengen visa code, which requires data deletion within seven days of transmission.
What is the Schengen Visa Code, and why does the 7-day rule matter?
The Schengen Visa Code is the European Union's unified legal framework that governs how short-stay visas are processed and issued across all 27 Schengen member states. It is the rulebook that every visa application centre, including outsourced operators like VFS Global, is legally bound to follow. Among its provisions is a strict limit on how long a visitor can stay: 90 days within any 180-day period.
Embedded within the Code and reinforced by the EU's Visa Information System (VIS) regulations is a specific data handling requirement, the seven-day deletion rule. Once an applicant's personal and biometric data has been successfully transmitted to the relevant diplomatic mission or central database, that data must be deleted from all local systems within seven days. No exceptions.
The rationale is straightforward. Sensitive data sitting in local caches, on unencrypted discs, or within the IT infrastructure of an outsourced application centre is a security liability. The EU's General Data Protection Regulation (GDPR) and VIS protocols are explicit: once transmission is complete, local retention serves no legitimate purpose and creates unnecessary risk.
Long-term storage is handled differently. The central VIS database retains data securely for up to five years for legal verification and future processing, but that responsibility sits with the centralised system, not with a third-party visa centre in New Delhi or anywhere else.
What about appointment slots and extra services?
The investigation also pointed to procedural inconsistencies and allegations related to appointment bookings. Several member states noted complaints about black-marketing of online appointment slots.
Auditors also examined VFS Global’s value-added services business, which includes premium lounges, courier delivery and SMS alerts. In India, the company’s value-added services business reportedly has pre-tax margins of up to 70 percent.
A 2025 inspection by a Swedish mission in Mumbai found that VFS had failed to clearly display that these extra services were optional. The reports also said reimbursements for incorrectly charged applicants were mishandled.
What did monitors say about recurring failures?
According to the documents, every EU nation that raised structural concerns with VFS reported a similar pattern: temporary improvement after complaints, followed by a return to administrative laxity.
Monitors partly attributed the failures to “middle management” being either severely under-equipped or missing, pointing to weak on-the-job supervision.
How has VFS Global responded?
VFS Global has rejected any suggestion that its operations lack oversight. Responding to the global investigation, the company said its services are transparent, tightly audited and “subject to rigorous and continuous government oversight”.
The company said it operates under strong compliance systems and undergoes “more than 10,000 audits and assessments annually, conducted by internal and external auditors, including those assigned by client governments”.
It also said that wherever operational problems are found, “structured remediation plans are implemented”.
What does VFS Global actually do?
VFS Global says its role is limited to front-end administrative work. This includes collecting visa application forms, checking required documents as per government checklists, and enrolling biometrics where needed.
The company says it does not decide who gets a visa. It also says it does not control appointment availability, mandatory documentation or visa processing timelines. These decisions, according to the company, remain entirely with the respective governments.
This distinction is central to VFS Global’s defence. It presents itself as an administrative and technology services provider, not a visa decision-making authority.
How does it impact travellers and visa holders?
VFS Global’s importance has grown as governments increasingly outsource parts of the visa process to external service providers. That model allows diplomatic missions to handle large volumes of applications while focusing on final assessment and decision-making.
But the EU now appears to be moving toward tighter checks. In its recently adopted EU Visa Policy Strategy, the European Commission said the “growing reliance by Member States on ESPs (External Service Providers) to handle parts of the visa process calls for improved quality control and monitoring.”
VFS Global official statement
“VFS Global is a trusted partner to governments worldwide. Given the nature of our work in visa administrative services, we operate under rigorous oversight across all markets, including for governments with some of the most stringent integrity and security requirements. For a quarter of a century, we have supported client governments in delivering secure and efficient visa services at scale, and our work is subject to regular competitive tender. We do not tolerate fraud, data misuse, or any conduct that falls below the high standards our clients and their applicants expect of us.
“Our optional value-added services are developed in consultation with, and approved and monitored by, our client governments. Whether applicants choose to use these services or not, they have no bearing on visa application decisions, which are solely a matter for governments. We are committed to ensuring that the optional nature of these services is clearly and consistently communicated at every touchpoint.”
It all started as an idea back in 2001, when an idea would go on to change how millions of people applied for visas globally. Zubin Karkaria conceptualised and founded VFS Global as an outsourced visa services company, building it into a global leader within four to five years of its launch.
Today, VFS Global is one of the most important names in cross-border mobility. The company works with governments around the world, handling front-end administrative tasks for visa, passport and consular services. It is headquartered in Zurich and Dubai, majority owned by Blackstone, and counts Kuoni, Hugentobler Foundation, Temasek and Dubai Holdings among its minority shareholders.
The company’s scale is massive. VFS Global says it serves 71 governments, operates 4,105 application centres across 168 countries, and has processed more than 542.42 million transactions since 2001. It has also handled over 231.62 million biometric enrolments since 2007.
But the same scale that made VFS Global a central player in global mobility has now put it under intense scrutiny.
Why is VFS Global in the spotlight?
Internal monitoring reports obtained by non-profit investigative newsroom Lighthouse Reports have raised serious questions about VFS Global’s operations in India. The reports, based on assessments across multiple EU nations, flagged alleged irregularities, data vulnerabilities and processing failures at visa application centres.
According to the documents, a 20-member EU delegation recently visited India to discuss these concerns with VFS management. The visit followed field assessments and questionnaires filled out by 11 member states.
The internal EU documents cited several issues, including “laxity in following instructions, documents not arranged in proper sequence, scanning-related issues, and IT infrastructure and bandwidth problems.” The reports also said that New Delhi was identified by a majority of member states as the visa application centre with the highest concentration of processing errors.
The documents were obtained through more than 40 Freedom of Information requests filed with the European Commission, the United Kingdom and individual EU member states. The investigation involved media partners across 11 countries, including The Indian Express in India, Der Spiegel in Germany and Le Monde in France.
How did VFS Global violate the Schengen Visa code?
One of the most serious parts of the investigation relates to applicant data.
The reports said inspectors found that personal and biometric data of applicants were often stored on unencrypted discs during transport and handling. A 2025 report from the Hungarian consulate also found that applicant data older than one month remained accessible within the VFS system in New Delhi.
This, according to the report, violated the Schengen visa code, which requires data deletion within seven days of transmission.
What is the Schengen Visa Code, and why does the 7-day rule matter?
The Schengen Visa Code is the European Union's unified legal framework that governs how short-stay visas are processed and issued across all 27 Schengen member states. It is the rulebook that every visa application centre, including outsourced operators like VFS Global, is legally bound to follow. Among its provisions is a strict limit on how long a visitor can stay: 90 days within any 180-day period.
Embedded within the Code and reinforced by the EU's Visa Information System (VIS) regulations is a specific data handling requirement, the seven-day deletion rule. Once an applicant's personal and biometric data has been successfully transmitted to the relevant diplomatic mission or central database, that data must be deleted from all local systems within seven days. No exceptions.
The rationale is straightforward. Sensitive data sitting in local caches, on unencrypted discs, or within the IT infrastructure of an outsourced application centre is a security liability. The EU's General Data Protection Regulation (GDPR) and VIS protocols are explicit: once transmission is complete, local retention serves no legitimate purpose and creates unnecessary risk.
Long-term storage is handled differently. The central VIS database retains data securely for up to five years for legal verification and future processing, but that responsibility sits with the centralised system, not with a third-party visa centre in New Delhi or anywhere else.
What about appointment slots and extra services?
The investigation also pointed to procedural inconsistencies and allegations related to appointment bookings. Several member states noted complaints about black-marketing of online appointment slots.
Auditors also examined VFS Global’s value-added services business, which includes premium lounges, courier delivery and SMS alerts. In India, the company’s value-added services business reportedly has pre-tax margins of up to 70 percent.
A 2025 inspection by a Swedish mission in Mumbai found that VFS had failed to clearly display that these extra services were optional. The reports also said reimbursements for incorrectly charged applicants were mishandled.
What did monitors say about recurring failures?
According to the documents, every EU nation that raised structural concerns with VFS reported a similar pattern: temporary improvement after complaints, followed by a return to administrative laxity.
Monitors partly attributed the failures to “middle management” being either severely under-equipped or missing, pointing to weak on-the-job supervision.
How has VFS Global responded?
VFS Global has rejected any suggestion that its operations lack oversight. Responding to the global investigation, the company said its services are transparent, tightly audited and “subject to rigorous and continuous government oversight”.
The company said it operates under strong compliance systems and undergoes “more than 10,000 audits and assessments annually, conducted by internal and external auditors, including those assigned by client governments”.
It also said that wherever operational problems are found, “structured remediation plans are implemented”.
What does VFS Global actually do?
VFS Global says its role is limited to front-end administrative work. This includes collecting visa application forms, checking required documents as per government checklists, and enrolling biometrics where needed.
The company says it does not decide who gets a visa. It also says it does not control appointment availability, mandatory documentation or visa processing timelines. These decisions, according to the company, remain entirely with the respective governments.
This distinction is central to VFS Global’s defence. It presents itself as an administrative and technology services provider, not a visa decision-making authority.
How does it impact travellers and visa holders?
VFS Global’s importance has grown as governments increasingly outsource parts of the visa process to external service providers. That model allows diplomatic missions to handle large volumes of applications while focusing on final assessment and decision-making.
But the EU now appears to be moving toward tighter checks. In its recently adopted EU Visa Policy Strategy, the European Commission said the “growing reliance by Member States on ESPs (External Service Providers) to handle parts of the visa process calls for improved quality control and monitoring.”
VFS Global official statement
“VFS Global is a trusted partner to governments worldwide. Given the nature of our work in visa administrative services, we operate under rigorous oversight across all markets, including for governments with some of the most stringent integrity and security requirements. For a quarter of a century, we have supported client governments in delivering secure and efficient visa services at scale, and our work is subject to regular competitive tender. We do not tolerate fraud, data misuse, or any conduct that falls below the high standards our clients and their applicants expect of us.
“Our optional value-added services are developed in consultation with, and approved and monitored by, our client governments. Whether applicants choose to use these services or not, they have no bearing on visa application decisions, which are solely a matter for governments. We are committed to ensuring that the optional nature of these services is clearly and consistently communicated at every touchpoint.”