On 10th January 2025, the Insurance Regulatory and Development Authority of India (“IRDAI”) published a press release stating that in the interest of maintaining an “agile, progressive, and forward-looking regulatory framework,it has notified two new regulations along with three amendments to existing regulations. These are:

  1. IRDAI (Regulatory Sandbox) Regulations 2025;
  2. IRDAI (Maintenance of Information by the Regulated Entities and Sharing of Information by the Authority) Regulations 2025;
  3. IRDAI (Re-insurance Advisory Committee) (Amendment) Regulations 2025;
  4. IRDAI (Insurance Advisory Committee) (Amendment) Regulations 2025; and
  5. IRDAI (Meetings) (Amendment) Regulations 2025.

Aiming to align with a principle-driven regulatory architecture, the IRDAI has introduced measures to support innovation, improve governance policies, and most notably referencing data security as a key facet in the increasing digitalized insurance sector. The new IRDAI regulations introduce several major changes and as it brings forth a forward-looking shift for the landscape. Here’s a comprehensive look into what the new reforms entails for the industry:

  1. Regulatory Sandbox Regulations

The newly introduced Regulatory Sandbox Regulation, replacing the 2019 Regulations, governing experimental regulatory sandboxes has perhaps received the most benefit of all the notified Regulations. It expands on the scope of regulatory sandbox with the purpose of promoting innovation, adaptability, and operational efficiency, in the industry.

The Sandbox Regulation now permits “Inter-Regulatory Sandbox Proposals” which cuts across more than one financial sector within the regulatory sandbox framework. The process and procedures in dealing with such inter-regulatory sandbox applications, along with other aspects of the Sandbox Regulation such as timelines (which has been entirely omitted from the repealed Regulation), have not yet been notified and shall be made operational later through an upcoming master circular.

The Sandbox Regulation makes explicit mention of the Digital Personal Data Protection Act, 2023 (DPDP Act), specifying compliance with the not-yet implemented data privacy act as a mandatory prerequisite to be granted permission to establish a regulatory sandbox. By natural implication, this also subjects the sector to the authority of the Data Protection Board under the Act ensuring an added layer of digital personal data protection.

Another change in the Sandbox Regulation is the formal shifting of powers and the creation of a distinction between “Authority” and “Competent Authority”. The IRDAI (“Authority”) is now considered a separate entity than the Chairman of the IRDAI (“Competent Authority”). Whole-Time Member(s) of the IRDAI or Officer(s) of the IRDAI, as may be decided by the Chairman, could also be considered as Competent Authority under the new Regulation. All matters pertaining to regulatory sandbox applications and operations are therefore now to be handled directly by such Competent Authority and decisions taken by the Competent Authority is considered final on all accounts.

  1. Maintenance of Information by the Regulated Entities and Sharing of Information by the Authority Regulations

Although new by title, this Information and Records Regulation is essentially a consolidation and simplification of three existing regulations, which have respectively been split into three chapters of the new Regulation, namely: (I) IRDAI (Sharing of Confidential Information Concerning Domestic or Foreign Entity) Regulations, 2012; (II) IRDAI (Maintenance of Insurance Records) Regulations, 2015; and (III) IRDAI (Minimum Information Required for Investigation and Inspection) Regulations, 2010. The new Information and Records Regulation greatly streamlines the structural arrangement of provisions under the old Regulations, substantially improving readability and ease of reference, reducing clutter and overlap.

    1. With regards to the sharing of confidential information by the IRDAI concerning domestic or foreign entities, the new Information and Records Regulation features a few minor tweaks and additions which slightly expands on the powers of the IRDAI. Under the requirement of when the IRDAI is expected to disclose information available with it which is not available in the public domain, the new Information and Records Regulation adds an additional condition of all applicable laws permitting the sharing of such information, for the IRDAI to even consider such a request. This reads all applicable laws, most discernibly, emerging laws such as data privacy laws, to permit such sharing of information with regards to foreign entities.
    2. Similarly, the new Information and Records Regulation incorporates the requirement for maintenance systems to contain a data governance framework, also evidently in furtherance of the soon imminent implementation of the DPDP Act; however, explicit mention of the DPDP Act is not made in the Regulation. While the old Regulation permitted insurers to allow access to insurance records for inspections by the IRDAI, the new Information and Records Regulation also permits for such investigations, as well as “any other purpose” as deemed necessary by the IRDAI. This vague wording substantially widens the powers of the IRDAI to scrutinize insurance records. The regulation regarding maintenance of records have also been more widely expanded to also include insurers solely involved in the business reinsurance. Similarly, the IRDAI Board approved policy of the insurer relating to record maintenance now requires insurers to implement all appropriate security mechanisms necessary to protect electronically stored records and include “any other matters, as specified by the (IRDAI)” through the issue of circulars, guidelines, or instructions.
    3. Finally, the old Regulation relating to Minimum Information for Investigation and Inspection have been now expanded under the new Information and Records Regulation to incorporate the data collected to be stored in “

thFinally, the old Regulation relating to Minimum Information for Investigation and Inspection have been now expanded under the new Information and Records Regulation to incorporate the data collected to be stored in “data centres located and maintained in India”, apart from principal place of business, branches, and other offices of the insurer. This is yet a reflection that is incorporated in furtherance of India’s new data privacy regime ensuring data localization as the norm. Additionally, as opposed to the old Regulation’s permittance of information to be stored in “physical or electronic form”, the new Information and Records Regulation substitutes the word “physical” and instead permits information and records to be stored in “electronic form and if required, in any other form, as may be appropriate for its business” Why such substitution has been made and what other forms of record maintenance it incorporates apart from electronic and physical, has not been clarified by the Information and Records Regulation.

 

  1. Re-insurance Advisory Committee [Amendment]

The Re-insurance Advisory Committee Amendment Regulation now permits the IRDAI to remove any member of the Re-insurance Advisory Committee owing to insolvency, physical or mental incapability, conviction of any offence involving moral turpitude, acquisition of financial or other interests prejudicial to their being in the Committee, abuse of power, failure to attend three consecutive meetings of the Committee without cause, or if in the IRDAI’s opinion is no longer fit to be on the Committee. This essentially gives unfettered power to the IRDAI to remove a member from the Committee if it feels such member should no longer be on the Committee. Additionally, the Amendment permits online mode of meeting for the Committee.

  1. Insurance Advisory Committee [Amendment]

The Insurance Advisory Committee Amendment designates the Secretary of the Insurance Advisory Committee as the “Designated Officer” who is responsible for circulation of notices and agenda of meetings as well as sending minutes of meetings. It changes the minimum requirement for meetings of the Committee to be conducted twice in a calendar year to twice in a financial year. It also permits online mode of meeting for the Committee. It provides for emergency meetings (with at least 24 hours’ notice) and permits for meetings to be conducted with less than 7 days’ notice if approved by the Chairman of the IRDAI. The Insurance Advisory Committee Amendment also permits the IRDAI to remove any member of the Committee owing to insolvency, physical or mental incapability, conviction of any offence involving moral turpitude, acquisition of financial or other interests prejudicial to their being in the Committee, abuse of power, failure to attend three consecutive meetings of the Committee without cause, or if in the IRDAI’s opinion is no longer fit to be on the Committee.

  1. Meetings [Amendment]

The Meetings Amendment governing meetings of the IRDAI also sees certain procedural changes. It similarly designates the Secretary of the IRDAI Board as the “Designated Officer” entrusted with the responsibility of issuance notices, circulating agendas, and handling of meeting minutes. It changes minimum number of meetings for the Board from “six times in a year” to “4 times in a financial year”. It permits for online mode of meetings and permits meetings conducted with less than seven days’ notice with the Chairman’s approval along with emergency meetings called by the Chairman with at least 24-hours’ notice. Emergency meetings must be requisitioned in writing specifying purpose of the meeting, and signed off by not less than half of the total strength.

Key Takeaways and Concluding Remarks

The IRDAI’s latest regulatory reforms mark a notable shift towards a more agile and digitally-oriented insurance sector in India. Key changes under the new regulations and strategic amendments include the expansion of regulatory sandbox capabilities, enhanced data protection measures aligned with the DPDP Act, streamlined information management systems, and more flexible operational procedures for the various committees. These reforms collectively reflect the regulator’s forward-looking approach in balancing technological advancement with robust oversight, setting a progressive foundation for the insurance industry’s future growth while ensuring adequate consumer protection through improved data security and governance measures.

Authors: Mr Neeraj Vyas, Partner, Ms Mona Gupta, Principal Associate, and Mr Sidharth S. Kumar, Intern

More from Saga Legal