Governance Expectations for Digital Insurance Platforms in India

For most of the past decade, Indian digital insurance platforms operated in a relatively light regulatory environment. The IRDAI (Insurance Web Aggregators) Regulations, 2017 prescribed a registration and conduct regime for comparison platforms; the IRDAI Sandbox Regulations, 2019 created a controlled-experimentation route; the Point of Sales Person (POSP) structure allowed digital distribution at scale; and most insurtechs operated as corporate agents or brokers under existing intermediary regimes. The regulatory expectations were primarily on the insurer carrying the risk.

The Bima Sugam platform, the DPDP Act, 2023, the IRDAI Master Circular on Outsourcing, 2024, and a string of policyholder-protection enforcement actions in 2024 and 2025 have shifted the picture. Digital platforms are now expected to carry governance and conduct accountability comparable to insurers, not just commercial-intermediary disclosure norms. Platforms that have been operating with start-up-stage governance are facing supervisory attention that the cap table has not yet absorbed.

An Indian digital insurance platform, depending on its specific business model, sits under several overlapping rule sets. A working compliance map should include:

• the IRDAI (Insurance Web Aggregators) Regulations, 2017 for any comparison and lead-generation activity
• the IRDAI (Insurance Brokers) Regulations, 2018 or Corporate Agents Regulations, 2015 for actual distribution
• the IRDAI Information Security Guidelines, 2023 for any handling of policyholder data
• the Digital Personal Data Protection Act, 2023 for personal data processing
• the CERT-In Directions, 2022 for cyber-incident reporting (6-hour window)
• the IRDAI Outsourcing Master Circular, 2024 to the extent the platform performs functions outsourced from an insurer
• the Consumer Protection Act, 2019 and the e-Commerce Rules for direct-to-consumer presentation
• relevant sectoral rules for any add-on services (lending, payments, health-data sharing)

The overlap creates ambiguity in places, and platforms that have not mapped their activity against each rule set are likely to find a gap when a regulator looks specifically.

The IRDAI's expectation for comparison and recommendation platforms is display neutrality: the order, prominence, and recommendation logic for listed products must reflect customer needs rather than commission economics or partner relationships.

The practical implications:

• the default sort on a comparison page should be a documented customer-centric metric (suitability, claim-settlement record, price-for-coverage), not commission earned by the platform
• any sponsored or featured placement must be clearly labelled and ranked separately from default results
• the recommendation algorithm, where one is used, should be documented with the features it considers and the weighting between them
• changes to the algorithm should be version-controlled, with the change rationale, the test results, and the approver named in the change log

Distribution platforms, particularly those selling life and health products, must increasingly document a needs analysis before recommendation. The IRDAI Master Circular on Corporate Agents, 2024 brought corporate-agent suitability standards closer to broker-level expectations, and platforms operating as corporate agents inherit that obligation.

A working needs-analysis workflow on a digital platform:

• captures customer-volunteered information about income, dependents, existing cover, and risk concerns
• presents the resulting product options with a clear basis for recommendation
• saves the captured inputs and the recommendation logic to a retrievable audit trail for the required retention period
• includes a documented opt-out path for customers who decline to provide information, with appropriate caveats about the recommendation that follows

Where the platform serves multi-language or low-digital-literacy customers, the suitability workflow should adapt rather than be replaced. A workflow that only works for English-fluent users in metros is not a defensible distribution architecture for a national platform.

For pure comparison and lead-generation platforms, the obligation is lighter but not absent: the platform must not present quotations as recommendations and must not collect more data than required for the comparison purpose stated.

Digital platforms are the most data-rich intermediaries in Indian insurance and the most exposed to DPDP Act risk. The standard architecture (a frontend that collects personal data, a backend that distributes it to multiple insurers and possibly third-party scoring services, and analytics pipelines that improve conversion) creates a data-flow surface that requires explicit lawful basis at multiple points.

A working DPDP compliance posture for a platform includes:

• a purpose specification for each data field, with consent flows that reflect the purpose
• data minimisation in the user interface: do not ask for PAN, address, or family details before they are needed for the quotation or issuance step
• insurer-side consent forwarding: when personal data is sent to an insurer for quotation, the customer should know which insurers will receive it and what they will do with it
• erasure rights: a documented process for honouring DPDP erasure requests, with appropriate retention exceptions for regulatory and contractual obligations
• breach notification: a workflow that meets both the CERT-In 6-hour cyber-incident window and the DPDP Act's data-breach notification expectations, which are stricter than current practice

Platforms that are still operating on the older IT Act 2000 reasonable-security framework are not compliant under the DPDP Act, even before the Data Protection Board becomes operational. The substantive obligations are largely in force; only the enforcement infrastructure is pending.

The IRDAI Bima Bharosa grievance platform and the policyholder-protection regulations together set complaint-handling expectations that digital platforms increasingly own end to end. The legal distribution chain (customer to platform to insurer) does not absolve the platform of responsibility for first-line complaint handling, particularly for service issues that originate at the platform itself.

A platform's grievance architecture should include:

• a public grievance redressal officer named on the website with email and phone contact
• a defined response window, typically acknowledgement within 1 working day and resolution or interim response within 7 working days
• escalation paths to the platform's grievance committee, then to the originating insurer, then to the IRDAI's Bima Bharosa or the ombudsman
• transparent reporting of complaint volumes, resolution times, and outstanding complaints on a periodic basis
• a documented root-cause-analysis process that feeds back into product changes, partner-insurer escalations, or front-end redesigns

Platforms whose first response is to redirect every complaint to the insurer are not meeting current IRDAI expectations and should expect targeted supervisory attention in 2026 and beyond.

Two structural shifts will redefine digital platform governance over the next 18 months.

First, board-level governance is now expected even for relatively small platforms. The IRDAI Corporate Governance Guidelines, 2024 extended their reach to material intermediaries, with proportional but real expectations on independent directors, audit and risk committees, and risk-management functions. Insurtechs running with founder-dominated boards and informal risk arrangements should plan for restructuring before regulatory attention forces it.

Second, Bima Sugam changes the competitive geography. Once the regulator-built platform offers standardised retail products with controlled disclosure, the value proposition of private aggregators shifts from comparison to advisory, partner curation, and post-sale service. Platforms that have been monetising opaque comparison will find their economics under pressure simultaneously from Sugam-driven transparency and from supervisory expectations on display neutrality.

The platforms that thrive will be those that invest in the governance infrastructure now, position themselves as trusted advisors for segments Sugam does not serve well (complex retail, SME, group health), and build genuine post-sale capability. The platforms that try to extract last-cycle economics through opaque practices are likely to face a difficult 24 months.