Compliance Checklist: Deploying AI in IRDAI and RBI Regulated Industries
A complete compliance framework for deploying AI Employees in insurance and banking. Covers do-not-call registry, call timing rules, recording obligations, consent capture, and DPDPA requirements.
AI operates via
What You'll Learn
- 01
IRDAI and RBI call compliance rules in detail
- 02
Consent capture and DPDPA obligations for AI agents
- 03
Call recording and audit log requirements
- 04
Do-not-call registry checks and frequency caps
- 05
Handling customer complaints raised during AI interactions
100%
Compliance Coverage
0
Regulatory Violations
30 min
Audit Report Export
12+
Regulatory Frameworks
Introduction
Deploying AI in regulated Indian financial-services workflows - insurance, banking, NBFC lending, capital markets - is not a technology problem. It's a compliance-first design problem. IRDAI, RBI, SEBI, and the DPDP Act each impose requirements on how customers can be contacted, how data must be logged, who owns audit trails, and what must happen when a customer raises a dispute. A brilliant AI deployment that trips any one of these produces regulatory letters, not revenue.
This checklist walks through the specific clauses, their operational implications, and the architecture decisions that keep your deployment inside the lines. Every item here has been field-tested in production across insurers and NBFCs operating in India.
TL;DR
- IRDAI and RBI compliance is architecture-first: calling windows, consent logs, DND scrubbing, and audit trails must be built into the AI workflow from Day 1, not retrofitted.
- DPDP Act (effective phased rollout) adds explicit consent, data minimization, and erasure-on-request requirements that every AI agent must handle programmatically.
- Voice biometrics and AI-generated speech are permitted but require clear customer disclosure - the AI must identify itself as AI at the start of the interaction.
- Audit trails must be immutable, retrievable for 5 years (IRDAI) or 10 years (RBI for some records), and include full transcript + outcome disposition per interaction.
- A properly compliant deployment takes 10-14 days including compliance review with your legal/compliance team - don't compress this timeline.
What Is an AI Employee Deployment?
IRDAI and RBI compliance for AI is the set of regulatory requirements governing how autonomous AI agents can interact with customers in Indian insurance and financial-services workflows. It covers permitted calling windows, consent capture and verification, DND and NDNC registry scrubbing, audit trail retention, fair-practices code adherence, data-localization requirements under DPDP Act, and mandatory human-escalation paths for specific case types (disputes, complaints, legal threats). Non-compliance can trigger regulatory action including fines, license review, and mandatory process audits.
Step-by-Step Guide
Understand Which Regulations Apply
Banks and NBFCs: RBI Digital Lending Guidelines, Fair Practices Code, TRAI TCCCPR. Insurers: IRDAI Regulations on Outsourcing and Distance Marketing. All entities: DPDPA 2023, IT Act, Aadhaar data norms. Know your full compliance stack before you configure anything.
Configure Call Timing Windows
RBI: calls between 8am-7pm only, no calls on public holidays unless borrower initiates. IRDAI: follows TRAI rules - 9am-9pm for transactional, 10am-7pm for promotional. Configure these windows as hard limits in your agent setup.
Set Up DNC Registry Integration
Integrate with TRAI's National Do Not Call registry and your internal DNC list before any campaign goes live. The agent checks both in real time before each call attempt. Maintain a log of all DNC checks for audit purposes.
Build Consent Capture Flows
For WhatsApp and SMS outreach, capture explicit opt-in consent before the first non-transactional message. Store consent records with timestamp, channel, and purpose - accessible for regulator review at any time.
Mandate Agent Identification and Disclosure
Every voice interaction must begin with agent identification (name, company, registration number). Every WhatsApp message must include your company name and purpose. These are non-negotiable regulatory requirements.
Configure Recording, Audit Logs, and Complaint Handling
All calls must be recorded and stored for a minimum of 6 months (RBI) or as specified by IRDAI. Complaint interactions must be flagged, escalated, and resolved within the regulatory timeline. Export audit trails on demand.
Technical Details & Per-Day Breakdown
Permitted Calling Windows
IRDAI Protection of Policyholders' Interests Regulations and RBI Fair Practices Code both restrict outbound calls to 8am-7pm local time, with a per-day cap on attempts per account. Your AI must enforce this with customer-level local time (based on pincode or state), public-holiday calendars, and attempt-counter logic. Violation is the most frequently cited non-compliance issue in audits.
Consent Management
Every outbound interaction requires a verifiable, time-stamped consent record. Under DPDP Act, this includes purpose limitation (can only use the data for the purpose consented), right to withdraw, and right to erasure. Build consent lookup into the pre-call workflow - if consent is absent or withdrawn, the call doesn't happen. Full stop.
DND and NDNC Scrubbing
Every outbound batch must be scrubbed against the National Do Not Call registry and your internal DND list before dialing. Scrubbing must be real-time (not batch-yesterday) because DND status changes daily. Non-compliance fines scale with volume - a single missed scrub can cost 6-7 figures in penalties.
AI Disclosure Requirement
The AI must clearly identify itself as an AI-powered agent at the start of the interaction - both voice and chat. This is an emerging regulatory expectation under DPDP transparency clauses and consumer-protection norms. A scripted opening like 'Hi, I'm Priya, an AI assistant from [Insurer]' satisfies this and has no measurable impact on engagement.
Audit Trail and Retention
Every interaction must log: timestamp, caller ID, AI agent ID, full transcript, audio recording, outcome disposition, consent status, language used, and any escalation. Retention: IRDAI requires 5 years minimum for policyholder interactions; RBI mandates 10 years for certain lending interactions. Audit trail must be immutable and retrievable by policy number or account ID within regulator-specified timeframes (typically 48 hours).
Human Escalation for Mandatory Cases
Some interaction types must trigger human escalation under regulation: customer disputes, complaints with specific keywords ('ombudsman', 'RBI complaint', 'legal action'), grievance redressal requests, and claims-related queries. Build a keyword + intent classifier that routes these cases to qualified human agents with appropriate authority, and log the handover timestamp in your audit trail.
Common Mistakes (and How to Avoid Them)
MistakeCompressing the compliance review to hit a 7-day timeline
Fix: Regulated deployments take 10-14 days. Build in 2-3 days for legal/compliance review of scripts, consent language, and audit-trail architecture. Don't skip this.
MistakeTreating DPDP as a 'future' problem
Fix: DPDP Act is live in phases. Consent management, data minimization, and erasure handling must be operational now. Grandfathered data is a regulatory vulnerability.
MistakeLogging transcripts to a file system instead of an immutable store
Fix: Transcripts are regulated records. Use append-only storage with cryptographic hashing and retention policies enforced in the storage layer itself. File systems fail audit tests.
MistakeNot disclosing the AI identity at call start
Fix: Regulators view undisclosed AI as a consumer-protection violation. One-line disclosure at call open is mandatory. No measurable engagement impact.
MistakeUsing an AI model that wasn't reviewed for bias in Indian vernaculars
Fix: If the AI model was primarily trained on English, it may mishandle Hindi, Tamil, or Bengali customer interactions - misclassify intent, mis-transcribe, or respond inappropriately. Audit the model's performance per language before production.
MistakeRunning a single AI across IRDAI + RBI workflows without segmentation
Fix: Insurance and banking have different calling windows, different script requirements, and different audit taxonomies. Separate the workflows and their compliance rules explicitly.
Build an IRDAI/RBI-Compliant AI Stack vs. Deploy UnleashX
| Criterion | Build In-House | Deploy with UnleashX |
|---|---|---|
| Time to first live workflow | 3-6 months | 10-14 days (compliance review included) |
| Engineering resources required | 2-4 engineers + conversation designer | 0 |
| Language and channel coverage | Build per language and per channel | 100+ languages, voice + WhatsApp + SMS + email out of the box |
| Integration effort | Design audit-trail storage, DND scrubbing, consent management from scratch | All compliance controls built in; legal-reviewed defaults |
| Compliance and audit | Ongoing regulatory-update maintenance (IRDAI/RBI/DPDP) | Platform-managed updates + quarterly compliance review |
| Ongoing cost | $30-60k/month (team + infra) | Usage-based, starts at $49/month |
Frequently Asked Questions
Does UnleashX handle DPDPA consent management?
Yes. UnleashX includes built-in consent capture, storage, and withdrawal handling in line with India's Digital Personal Data Protection Act 2023.
What happens if a customer requests data deletion?
Deletion requests are flagged and routed to your compliance team. UnleashX provides a data export and deletion workflow compliant with DPDPA Right to Erasure requirements.
Can we export call recordings for a regulatory inspection?
Yes. All recordings are stored with full metadata (date, time, agent ID, customer ID, outcome) and can be bulk-exported in standard formats for regulatory review.
Is the compliance configuration audited before go-live?
Yes. Every deployment includes a compliance readiness check by our team before any live calls are made. We provide a compliance sign-off checklist you can share with your legal team.
Conclusion
Compliance is not a checkbox - it's the foundation of every regulated-industry AI deployment. Every control in this checklist has been hit in a real audit somewhere. Build them in from Day 1, or retrofit them under duress later. The 10-14 day compliant deployment cost is measured in days. The cost of a regulatory action is measured in quarters of lost productivity and audit remediation.
Related Guides
Integrate With Your Favourite Tools
TRUSTED BY HIGH-GROWTH BUSINESSES
Ready to put this guide into practice?
Our team configures everything to your stack, compliance rules, and brand voice. Live in under 7 days.