Why Indian Insurtechs Struggle with Regulatory Compliance: Sandbox Limitations, Capital Requirements, and Distribution Friction

IRDAI has consistently expressed support for technology-driven innovation in Indian insurance. The regulator's public statements, annual reports, and circulars over the past five years have emphasised the role of technology in expanding insurance penetration, improving customer experience, and reducing operational costs. The establishment of the IRDAI Regulatory Sandbox in 2019, the launch of Bima Sugam (the proposed insurance marketplace), and the regulator's encouragement of digital distribution channels all signal a genuine intent to modernise the sector.

Yet the lived experience of Indian insurtechs tells a different story. Between 2019 and 2025, over 150 insurtech startups were founded in India, attracting cumulative venture capital investment exceeding USD 2 billion. Of these, only a handful have achieved sustainable scale. Many have pivoted away from insurance entirely. Several have shut down. The failure rate is not primarily a product of bad business models or weak technology. It reflects a structural mismatch between the regulatory framework, designed for large, well-capitalised insurance companies, and the operating reality of early-stage technology companies trying to bring new products and distribution models to market.

The regulatory challenges fall into three broad categories. First, the sandbox programme, while conceptually sound, has design limitations that constrain its practical utility for insurtechs. Second, the capital and licensing requirements for operating as an insurer or insurance intermediary in India create a high barrier to entry that excludes most startups. Third, the distribution regulations, which govern how insurance products can be marketed, sold, and serviced, impose compliance burdens that are disproportionate for digital-first business models.

These challenges are not unique to India. Insurtechs globally face tension between innovation speed and regulatory caution. But India's specific regulatory architecture, rooted in the Insurance Act 1938 (since amended but retaining its fundamental framework), creates friction points that are distinctly Indian. Understanding these friction points is essential for insurtechs planning their compliance strategy, for insurers evaluating insurtech partnerships, and for the regulator itself as it considers the next round of reforms.

IRDAI launched the Regulatory Sandbox framework in September 2019, enabling registered insurers and insurance intermediaries to test innovative products, services, and processes in a controlled environment with relaxed regulatory requirements. The concept, borrowed from the UK's Financial Conduct Authority (FCA) and Singapore's Monetary Authority, was sound: allow experimentation within defined boundaries, learn from the results, and use those learnings to inform permanent regulatory changes.

In practice, the sandbox has several structural limitations that reduce its effectiveness as an innovation enabler.

First, participation is restricted to entities already registered with IRDAI. The effect is that an unregistered insurtech startup cannot directly participate in the sandbox. It must either obtain IRDAI registration first (which requires meeting the same capital and licensing requirements that the sandbox is intended to help test alternatives to) or partner with a registered insurer or intermediary that sponsors its sandbox application. The partnership requirement adds complexity, delays, and cost. The registered entity bears the regulatory risk of the sandbox experiment, which makes many insurers conservative about what they will sponsor.

Second, the sandbox operates in time-bound cohorts with fixed themes. Each cohort runs for 6 months (which can be extended to 12 months with IRDAI approval) and focuses on a pre-announced theme, such as health insurance innovation, motor insurance, or microinsurance. An insurtech with an innovation outside the current cohort's theme must wait for a relevant theme to be announced, which may take a year or more. This thematic restriction made sense when the sandbox was new and IRDAI wanted to manage the scope of experimentation, but it creates unnecessary delays for insurtechs whose innovations do not align with the current cycle.

Third, the customer base permitted in the sandbox is capped. Sandbox experiments are limited to a defined number of policyholders, typically a few thousand, during the testing period. While this is understandable from a consumer protection perspective, it prevents insurtechs from generating the transaction volume needed to validate unit economics. An insurtech that can demonstrate product-market fit with 2,000 customers may still be unable to prove that the business model works at 200,000 customers, where economies of scale and operational challenges are fundamentally different.

Fourth, the transition from sandbox to permanent market is not clearly defined. After a successful sandbox experiment, the insurtech (or its registered sponsor) must apply for permanent regulatory approval under the existing framework, which may not accommodate the innovation that was just tested. If the innovation requires a new product category, a new distribution channel approval, or a deviation from standard policy wordings, obtaining permanent approval can take as long as the sandbox experiment itself.

The most formidable barrier to entry for insurtechs in India is the minimum capital requirement for obtaining an insurance license. Under the Insurance Act 1938 (as amended by the Insurance Laws Amendment Act 2015), the minimum paid-up equity capital for a general insurance company is INR 100 crore. For a reinsurer, it is INR 200 crore. For a life insurer, INR 100 crore. These thresholds were last revised in 2015 and have not been adjusted to reflect the emergence of technology-driven, capital-light business models.

For a venture-backed insurtech, INR 100 crore of equity capital is a prohibitive requirement at the early stage. Most insurtech startups in India raise seed rounds of INR 5 to 15 crore and Series A rounds of INR 30 to 80 crore. The entirety of their early funding goes toward product development, technology infrastructure, team building, and customer acquisition. Locking INR 100 crore into paid-up capital for an insurance license would consume the equivalent of a mid-sized Series B round, leaving no working capital for actual operations.

The capital requirement reflects a regulatory philosophy designed for traditional insurers that maintain large balance sheets to back their policy liabilities. This makes sense for a full-stack insurer writing fire, marine, and motor portfolios with aggregate sum insured in thousands of crore. It makes less sense for a technology-driven insurer that underwrites a narrow product line (say, parametric weather insurance or embedded transit cover) with limited maximum policy liabilities and that cedes most of its risk to reinsurers.

Some jurisdictions have addressed this by introducing tiered licensing. The UK's FCA, for example, has capital requirements that scale with the volume and nature of business written. Singapore's MAS offers a sandbox express pathway with reduced capital for digital insurers during the initial period. Australia has a restricted ADI (authorised deposit-taking institution) license for fintechs. India currently has no equivalent tiered structure for insurers.

IRDAI has taken one step toward addressing this barrier. In 2024, the regulator proposed amendments to allow 'composite licenses' that would permit a single entity to write both life and general insurance, and discussed the possibility of reduced capital requirements for insurers operating in specific niches. As of early 2026, these proposals remain under consultation, and no new licensing framework has been formally implemented.

The practical consequence is that most Indian insurtechs operate not as licensed insurers but as technology service providers to licensed insurers, or as licensed insurance intermediaries (brokers, web aggregators, or corporate agents). This intermediary model limits the insurtech's control over product design, pricing, claims handling, and customer experience, all of which ultimately depend on the licensed insurer partner's willingness to innovate.

Given the capital barrier to obtaining an insurance license, most Indian insurtechs operate as licensed intermediaries. The three primary intermediary licenses relevant to insurtechs are the insurance broker license (governed by IRDAI Broker Regulations 2018), the web aggregator license (governed by IRDAI Web Aggregator Guidelines), and the corporate agent license (governed by IRDAI Corporate Agent Regulations 2015). Each carries its own compliance obligations that create friction for digital-first businesses.

The insurance broker license requires minimum paid-up capital of INR 50 lakh (for a direct broker, INR 2 crore for a composite broker) and mandates a principal officer with at least 10 years of insurance industry experience. The broker must maintain client accounts separate from operating accounts, submit quarterly returns to IRDAI, undergo annual audits, and comply with detailed regulations on disclosure, grievance handling, and record-keeping. For a well-funded insurtech with experienced team members, these requirements are manageable. For a lean startup with a small team, the compliance overhead consumes a disproportionate share of resources.

The web aggregator license, introduced in 2017 and revised subsequently, permits online comparison and sale of insurance products from multiple insurers. This license most closely resembles the insurtech distribution model. However, the regulations impose restrictions that constrain the digital business model. Web aggregators must display products from a minimum number of insurers (at least 4 life and 4 non-life insurers on their platform), cannot provide advice or recommendation (only comparison), and must route all transactions through the insurer's own payment gateway. The prohibition on advice is particularly problematic: many insurtechs differentiate themselves by offering personalised recommendations based on the customer's risk profile, which is technically advisory activity that a web aggregator license does not permit.

The corporate agent license allows an entity to distribute products from up to three life insurers, three non-life insurers, and three health insurers. This model is used by several insurtechs (and by non-insurance entities like banks and NBFCs) but limits the number of insurer partnerships, constraining the product range that the platform can offer.

Beyond the specific license requirements, all intermediaries must comply with IRDAI's know-your-customer (KYC) norms, anti-money laundering (AML) regulations, and the increasingly detailed requirements of the Digital Personal Data Protection Act 2023 (DPDP Act). The compliance burden is identical whether the intermediary is a large broking house with INR 500 crore in annual premium placement or a startup processing INR 50 lakh in monthly premium. This lack of proportionality is a recurring theme in Indian insurance regulation.

Even for insurtechs that operate through partnerships with licensed insurers, bringing a new product to market requires working through IRDAI's product approval process. Under the 'file and use' procedure introduced in 2016 (replacing the earlier 'use and file' system for non-tariff products), insurers must file new product details with IRDAI before launching them. The regulator has 30 days to raise objections, after which the product is deemed approved.

In practice, the product approval timeline is frequently longer than the statutory 30 days. IRDAI's product committee may request additional information, seek clarifications on pricing methodology, or raise concerns about policy wording that require revision and re-filing. For genuinely innovative products, those that create new coverage categories rather than modifying existing ones, the back-and-forth with the regulator can extend the approval process to 3 to 6 months or longer.

This pace is misaligned with the speed at which insurtechs (and the markets they serve) operate. A parametric crop insurance product tied to real-time weather data needs to be in the market before the sowing season begins. An embedded transit insurance product integrated into an e-commerce platform needs to launch when the platform's feature release schedule dictates, not months later when regulatory approval arrives. A cyber insurance product designed to cover a newly emerging threat vector loses relevance if it takes a year to reach the market.

The product filing process also creates friction for iterative product development, which is fundamental to the technology startup methodology. Insurtechs typically launch a minimum viable product, gather customer feedback, and iteratively improve the product based on data. Each iteration that changes the product's coverage scope, pricing, or terms requires a new filing with IRDAI. An insurtech that wants to test three different deductible structures and two different premium models must file (and wait for approval of) each variant, a process that can stretch iterative product development from weeks to months.

IRDAI has shown awareness of this problem. The regulator's 2024 proposals include a 'use and file' option for microinsurance and parametric products, which would allow insurers to launch certain innovation-oriented products immediately and file the details with IRDAI within 15 days. If implemented, this would significantly accelerate time-to-market for the product categories most relevant to insurtechs. However, the proposal remains under discussion, and the timeline for formal implementation is uncertain.

Industry participants have suggested additional reforms: a fast-track approval pathway for products that meet defined innovation criteria, pre-approved product templates for common insurtech categories (embedded insurance, parametric covers, on-demand insurance), and a dedicated product team within IRDAI focused on innovation-oriented filings. Any of these measures would reduce the pace mismatch that currently constrains insurtech product development.

Indian insurtechs increasingly face a compliance challenge that did not exist five years ago: the intersection of insurance regulation, data protection law, and technology outsourcing rules. The Digital Personal Data Protection Act 2023 (DPDP Act), combined with IRDAI's outsourcing and cloud computing guidelines, creates a multi-layered regulatory framework that affects how insurtechs collect, store, process, and share data.

The DPDP Act applies to all personal data processed within India, including insurance policy data, claims data, health data, and financial data. Insurance data is particularly sensitive because it often includes health information (for health and life insurance), financial information (income, assets, liabilities), and location data (property addresses, vehicle tracking). The Act requires data fiduciaries (the entities that determine the purpose and means of data processing) to obtain consent for data collection, maintain data accuracy, retain data only as long as necessary, and implement reasonable security safeguards.

For insurtechs that process data on behalf of licensed insurers, the classification of data fiduciary versus data processor is critical. If the insurtech acts as a data processor (processing data on the insurer's instructions), the insurer bears primary compliance responsibility. If the insurtech independently determines how data is used (for its own analytics, product development, or marketing), it may be classified as a data fiduciary with direct compliance obligations under the DPDP Act.

IRDAI's Information and Cyber Security Guidelines (2023) and its Outsourcing Guidelines add insurance-specific data requirements on top of the DPDP Act. The cyber security guidelines mandate that insurers and intermediaries implement specific technical controls (encryption, access management, incident response plans) and undergo periodic security audits. The outsourcing guidelines require that any outsourcing arrangement involving policyholder data (including outsourcing to a technology vendor or insurtech partner) must be approved by the insurer's board, subject to due diligence, and compliant with data localisation requirements.

Data localisation is a particularly sensitive issue for insurtechs that rely on cloud infrastructure from global providers (AWS, Azure, Google Cloud) or that use AI models hosted outside India. IRDAI's guidelines require that policyholder data be stored within India. While the major cloud providers now offer India-region data centres that satisfy this requirement for data storage, the situation is less clear for data processing. If an insurtech uses a machine learning model hosted on servers outside India, and policyholder data is transmitted to that model for inference, does this violate the data localisation requirement? The regulatory guidance is ambiguous, and different insurtechs have adopted different interpretations, creating compliance uncertainty.

The practical impact is that Indian insurtechs must invest in compliance infrastructure (data governance frameworks, privacy impact assessments, security audits, legal opinions) that adds fixed costs to already capital-constrained operations. A startup with 20 employees may need to allocate one or two full-time equivalents to data compliance alone, a burden that established insurers absorb more easily across their larger cost base.

India is not the only jurisdiction grappling with how to regulate insurtechs, and the approaches adopted by other countries offer useful reference points for IRDAI's consideration.

Singapore's sandbox express pathway, launched by MAS in 2019, pre-defines a set of relaxed requirements for common fintech and insurtech business models. Applicants that fit the pre-defined criteria receive sandbox approval within 21 days, compared to months for the standard sandbox. The sandbox express includes specific categories for digital insurance broking and parametric insurance, enabling rapid experimentation in the areas most relevant to insurtechs.

The UK's FCA has implemented proportionate capital requirements that scale with business volume. A new insurer writing a small, defined book of business can operate with significantly less capital than the full Solvency II requirement, with capital thresholds increasing as the business grows. This allows technology-first entrants to prove their model before making the large capital commitment required for full-scale operations.

Bermuda's innovation hub at the Bermuda Monetary Authority (BMA) offers a 'regulatory conversations' programme where insurtechs can engage informally with regulators before formally applying for a license. This reduces the uncertainty and cost of the application process by giving the applicant early feedback on regulatory feasibility.

Australia's enhanced regulatory sandbox, expanded in 2020, allows fintech and insurtech companies to test products for up to 24 months with up to 10,000 retail clients, without requiring a full financial services license. The sandbox is open to any eligible entity, not just those already licensed, removing the participation barrier that limits India's sandbox.

For IRDAI, the most impactful reforms based on international experience would be: opening the sandbox to unlicensed insurtechs (with appropriate consumer protection safeguards); introducing tiered capital requirements for niche or digital-only insurers; implementing a proportionate compliance framework where intermediary obligations scale with business size; and creating a dedicated innovation office within IRDAI that serves as a single point of contact for insurtech regulatory queries.

The broader principle is that regulation should protect consumers without unnecessarily protecting incumbents. The current Indian framework, designed for a market dominated by four public-sector insurers, imposes entry barriers that protect existing market participants at the expense of competition and innovation. Updating this framework is not about deregulation; it is about calibrating regulation to the actual risks posed by different types of insurance entities.

Regulatory reform in India is incremental, not revolutionary. IRDAI has shown willingness to evolve, but the pace of regulatory change will always lag the pace of technological innovation. Indian insurtechs cannot afford to wait for the perfect regulatory environment; they must build viable businesses within the current framework while advocating for reform.

Prioritise the intermediary model with depth. Rather than trying to be a full-stack insurer (which requires INR 100 crore in capital and years of regulatory engagement), build deep expertise in a specific intermediary role. The most successful Indian insurtechs, Policybazaar (web aggregator, now with a broker license), Digit Insurance (which raised the capital for a full license but started as a technology-first operation), and Acko (direct insurer targeting specific segments), all found paths through the existing regulatory framework rather than waiting for it to change.

Invest in compliance as a capability, not just a cost. Insurtechs that build strong compliance functions early gain credibility with IRDAI, insurer partners, and investors. Appointing a qualified principal officer, maintaining clean regulatory filings, and proactively engaging with IRDAI inspections signals seriousness and reduces regulatory friction. Several insurtechs have found that investing in compliance actually accelerates their business development, because insurer partners (who bear regulatory risk for the insurtech's activities) are more willing to extend product and distribution partnerships to insurtechs with demonstrated compliance maturity.

Engage with IRDAI constructively. The regulator maintains consultation channels through industry bodies (GI Council, Life Insurance Council, Insurance Brokers Association of India) and conducts periodic stakeholder consultations on regulatory proposals. Insurtechs that participate in these processes, submitting detailed, evidence-based responses to consultation papers, have a greater chance of influencing regulatory outcomes. IRDAI's recent openness to composite licenses, reduced capital requirements, and use-and-file for innovative products reflects, at least in part, advocacy by the insurtech community.

Build for regulatory portability. Design your technology and operating model so that it can adapt to regulatory changes without fundamental rebuilding. Use modular compliance architecture: separate your KYC module, your consent management module, your product filing module, and your data governance module so that each can be updated independently as regulations evolve. An insurtech that hardcodes its current compliance requirements into a monolithic system will face expensive re-engineering every time IRDAI issues a new circular.

Finally, document everything. Maintain records of all regulatory interactions, all compliance decisions, all data processing activities, and all product filings. Indian insurance regulation is increasingly audit-oriented, and the ability to produce a complete compliance audit trail on demand is a competitive advantage, not just a regulatory obligation.