Which regulators apply to voice AI in India?

Five primary regulators: DPDP (always — every deployment processes personal data), TRAI DLT (outbound commercial calls), RBI (regulated lenders — banks, NBFCs, ARCs, fintechs under Digital Lending Guidelines), IRDAI (insurers and intermediaries), and RERA (real estate, state-level). Sectoral overlays beyond these include SEBI, CDSCO/NMC, FSSAI, and NHA/ABDM for specific verticals. Most Indian voice AI deployments operate under at least two regulators; BFSI and insurance typically run under three.

Do I need TRAI DLT registration for voice AI calls?

Yes, for any outbound commercial voice call beyond pure transactional confirmations. The DLT framework requires registration of senders, headers and templates, classification of calls as transactional vs service vs promotional, DND scrubbing before dial, and audit-trail logging of every call. Production-grade voice AI platforms enforce DLT classification at the dialler level — manual classification after the fact is not a defence.

Does DPDP apply to voice AI even for inbound calls?

Yes. DPDP applies whenever personal data is processed — at minimum, phone numbers, conversation transcripts, and any captured identifiers. Inbound calls run under legitimate-use grounds for service delivery, but the obligations on notice, retention, opt-out, and grievance still apply. Indian-region data residency is the safe default for sensitive verticals (BFSI, insurance, healthcare) even though DPDP doesn't mandate it for all personal data.

What does RBI Fair Practices Code require for AI collection calls?

Calling hours 8am–7pm IST, identity disclosure within 30 seconds, no abusive or threatening language, no workplace disruption, no pressuring of family or references, recording retention (90 days minimum, 12+ months recommended), and grievance redressal aligned to the RBI Integrated Ombudsman Scheme. Human collection agents need IIBF-DRA certification; AI doesn't pass IIBF, so the platform's compliance architecture must serve as the auditable substitute.

How does IRDAI apply to insurance voice AI calls?

Identity and capacity disclosure at call start, no mis-selling language, recorded consent for any policy-impacting changes (renewal at different premium, rider addition, beneficiary change, surrender), grievance routing aligned to the IRDAI ombudsman, and tighter sectoral overlays for health and life insurance (cooling-off periods, surrender value disclosure, pre-existing condition handling). Recording retention is often 3+ years for life insurance grievance defence.

Does RERA apply to real estate voice AI calls?

Yes — state-level, with broad commonalities. RERA registration number must be disclosed in marketing communications. Accuracy of marketing claims (possession dates, carpet area, amenities) must match the project's RERA filing. Brokerage disclosure when asked. Grievance routing per the relevant state RERA. Recording retention is state-variable; 12 months is a defensible default.

How do I operationalise multi-regulator compliance for voice AI?

Four practices: maintain one canonical compliance register that maps every campaign to applicable regulators and obligations. Enforce compliance at the platform layer, not the campaign layer — calling-hour gates, DND scrubbing, identity disclosure templates, recording retention, escalation rules all configured in the platform, not remembered by humans. Build an audit trail that survives a supervisory request — every call has a recording, transcript, classification, consent context, script version, and platform configuration queryable on demand. Run quarterly compliance reviews against the live deployment.

Voice AI India Regulatory Map 2026 — DPDP vs TRAI vs RBI vs IRDAI vs RERA | Caller Digital

There is no single regulator for voice AI in India. There are at least five, and which ones apply to your deployment depends on what you're calling about, who you're calling, what data you're processing, and what sector you're operating in. Most Indian enterprises starting a voice AI programme in 2026 discover this the hard way — usually two weeks before go-live, when the legal team comes back with a list of obligations the procurement team didn't price in.

This is the map. It tells you, for any given voice AI use case, which regulators have a claim on you, what the high-level requirements look like, and which of our deep-dive guides covers the operational details. It is not legal advice — it is the framework that lets you have a productive conversation with your legal team without spending six weeks researching from zero.

The five regulators that always matter

Five regulators apply, in some combination, to every Indian voice AI deployment.

DPDP — the Digital Personal Data Protection Act 2023. Always applies, because every voice AI deployment processes personal data — at minimum, phone numbers and conversation transcripts. Governs lawful ground for processing, notice and consent, retention, opt-out, and grievance redressal. The horizontal data-protection law that sits underneath everything else.

TRAI DLT — the Distributed Ledger Technology platform for commercial communications. Applies to all outbound voice and SMS that is "commercial" — which, in practice, is most outbound calling beyond pure transactional contexts. Mandates registration of senders, headers and templates, DND scrubbing before dial, and classification of calls as transactional vs promotional vs service.

RBI — the Reserve Bank of India. Applies if you are a regulated lender (bank, NBFC, ARC, payments bank) or operate under the 2022 Digital Lending Guidelines. Fair Practices Code governs collection-call conduct; the Recovery Agents Code (DRA) governs agent training and supervision; the Digital Lending Guidelines govern loan-related calls.

IRDAI — the Insurance Regulatory and Development Authority. Applies if you are an insurer, a corporate agent, an insurance intermediary, or a TPA. Governs identity disclosure, no-mis-selling language, recorded consent for any policy-impacting changes, and grievance routing aligned to the IRDAI ombudsman.

RERA — the Real Estate Regulatory Authority (state-level). Applies if you are a registered real-estate developer or broker. Governs disclosure of registration numbers, accuracy of marketing claims, and grievance routing per the relevant state RERA.

There are sectoral overlays beyond these five — SEBI for capital markets and mutual funds, CDSCO and the National Medical Commission for healthcare and pharma, the National Authority for Food Safety for FSSAI-regulated calls, and the National Health Authority for ABDM/health-record-touching workflows. We'll cover the sectoral edge cases in a separate update; this guide focuses on the five that apply to most Indian voice AI deployments.

The decision tree: which regulators apply to your use case

Walk through these five questions in order. The yes-answers tell you the regulators you have to satisfy.

Q1: Are you processing the personal data of any natural person? If yes (which it always is for voice AI): DPDP applies. Always.

Q2: Are you placing outbound voice calls that are not pure transactional confirmations triggered by the customer's own action in the last 24 hours? If yes: TRAI DLT applies. Outbound is the primary trigger; the 24-hour transactional carve-out is narrow.

Q3: Are you, or is your client, a regulated lender (bank, NBFC, ARC, fintech operating under the Digital Lending Guidelines, microfinance institution)? If yes: RBI applies. Specifically the Fair Practices Code, the Recovery Agents Code, and where applicable the Digital Lending Guidelines.

Q4: Are you, or is your client, an insurer, corporate agent, insurance intermediary, web aggregator, or TPA? If yes: IRDAI applies. Sectoral overlays for health and life insurance are tighter than for general insurance.

Q5: Are you, or is your client, a registered real-estate developer or broker placing pre-sales, EOI, site-visit, or follow-up calls? If yes: RERA applies. State-specific; check the RERA jurisdiction relevant to the project.

The most common multi-regulator combinations:

D2C e-commerce cart recovery / COD verification: DPDP + TRAI DLT.
NBFC / bank EMI reminder, collections, KYC follow-up: DPDP + TRAI DLT + RBI (FPC, DRA, DLG).
Insurance renewal, claims, lead callback: DPDP + TRAI DLT + IRDAI (sectoral overlays for health/life).
Real estate lead qualification, site-visit booking, sales calls: DPDP + TRAI DLT + RERA.
Hospital appointment booking, healthcare reminders: DPDP + TRAI DLT (plus sectoral healthcare overlays).
B2B SaaS inside-sales prospecting: DPDP + TRAI DLT.
Inbound customer support (any vertical): DPDP. TRAI DLT does not apply to inbound; sectoral regulators still do if you are in their scope.

DPDP in one page (the always-on layer)

DPDP applies to every deployment. The obligations that bear on voice AI:

Lawful ground for processing. Every personal-data processing activity needs a defined ground — typically "consent" (Section 6) or "legitimate uses" (Section 7) for our purposes. Outbound transactional calls (you signed up for this, we're calling about your order) usually run under legitimate-use grounds. Outbound promotional calls (we have an offer for you) require consent. Inbound calls run under legitimate-use for service delivery.

Notice and consent capture. Where consent is the ground, the notice must be specific, in plain language, in the customer's preferred language where reasonable, and the consent has to be revocable. The audit trail — who consented, to what, on what date, on what version of the notice — has to be defensible.

Purpose limitation. Data captured for one purpose can't quietly migrate to another. The transcript of a collections call cannot be used for cross-sell mailings without a separate consent.

Retention. Data has to be retained only as long as needed for the purpose plus any regulatory minimum. Voice recordings have a sectoral overlay — RBI typically requires 90 days minimum; some sectors require longer.

Opt-out and grievance. Every customer has to have a documented, accessible opt-out path and a grievance officer they can escalate to.

Data residency. DPDP doesn't mandate India-only residency for general personal data, but it does carve out a category of "sensitive personal data" with tighter handling. India-region storage and processing is the safe operational default for sensitive verticals.

Deep dive: see DPDP Compliance Field Guide for AI Calling in India and DPDP Act Compliance Checklist for Voice AI India.

TRAI DLT in one page (the outbound layer)

TRAI DLT governs outbound commercial communications. The mechanics:

Registration. The principal entity (you, or your client) registers on the DLT platform. Headers (the sender ID) and templates (the message content) are registered separately. Voice has analogous requirements: the calling-line identity and the script template have to be registered.

Classification. Every outbound communication is classified as transactional, service-implicit, service-explicit, or promotional. Voice calls fall into similar buckets. Transactional calls bypass DND; service and promotional calls are gated.

DND scrubbing. Before any non-transactional call is placed, the customer's number must be checked against the National DND Register and the customer's preference set. Calls that would violate DND must not be placed.

Audit trail. Every call is logged with sender, header, template, timestamp, classification, and outcome. Available to TRAI on supervisory request.

Consent for promotional calls. Verifiable consent — including an opt-in record, the opt-in mechanism, and the version of the disclosure — for any number to which promotional calls are placed.

The operational reality: a voice AI platform that handles DLT classification at the dialler level — automatically tagging each call by campaign type and enforcing DND/consent at pre-dial — is the only way this scales. Manual classification after the fact is not a defence.

Deep dive: see TRAI DND/DLT/TCCP Compliance Field Manual for AI Outbound Calling India 2026.

RBI in one page (the BFSI overlay)

RBI applies if any party in the deployment is a regulated lender. The obligations that bear on voice AI:

Calling hours. 8:00am–7:00pm IST for collection calls. No exceptions, including borrower preference.

Identity disclosure. Within 30 seconds of call open: who you are, what entity, what purpose. Recording disclosure separately.

No abusive, intimidating, or threatening language. Tone matters as much as words. The Reserve Bank's Department of Supervision has tightened scrutiny since the 2024–2025 harassment cases.

No workplace disruption. No calls to employer, no voicemails with colleagues, no repeated office-hours calls.

No pressuring of family or references. References captured at origination are for verification, not collection leverage.

Recording retention. Minimum 90 days. Best practice 12+ months for grievance defence; 3+ years for high-value loans.

DRA Code analogue. Human collection agents must be IIBF-DRA certified. AI doesn't pass IIBF — but the platform's compliance architecture has to be the auditable substitute. This is what RBI examiners increasingly probe.

Grievance redressal. Documented, accessible escalation path to a grievance officer, aligned to the RBI Integrated Ombudsman Scheme.

Digital Lending Guidelines (2022). For loan-related calls — disclosure of effective interest rate, repayment terms, and the lender's identity. Cooling-off period rules. KFS (Key Fact Statement) availability.

Deep dive: see RBI Fair Practices Code for AI Collection Calls: The 2026 Definitive Guide.

IRDAI in one page (the insurance overlay)

IRDAI applies if any party is an insurer or insurance intermediary. The obligations that bear on voice AI:

Identity and capacity disclosure. "I am calling on behalf of [insurer name], in my capacity as [agent / intermediary / TPA]." Within the opening seconds of the call.

No mis-selling language. Claims about coverage, exclusions, premium amounts, returns (for ULIPs), or tax benefits must be accurate and aligned to the policy document. Voice agents that hallucinate policy details are an exposure profile.

Recorded consent for policy-impacting changes. Renewal at a different premium, rider addition, beneficiary change, surrender — all require recorded customer consent with clear comprehension confirmation.

Sectoral overlays. Health insurance: pre-existing condition disclosure handling, sub-limit disclosure. Life insurance: cooling-off period, surrender value disclosure. General insurance: claim documentation.

Grievance routing. Aligned to the IRDAI ombudsman. Each call should have a documented escalation path.

Recording retention. Tighter than general — life insurance often requires 3+ years for grievance defence.

Deep dive: see IRDAI-Compliant AI Calling for Insurance Sales and Renewal in India.

RERA in one page (the real-estate overlay)

RERA is state-level — every state has its own RERA, with broad commonalities. The obligations that bear on voice AI:

Registration disclosure. RERA registration number of the project must be disclosed in the marketing communication. Voice AI calls placing real-estate offers have to disclose the registration number; promotional language without it is non-compliant.

Accuracy of marketing claims. Possession dates, carpet area, amenities, layout — must match the project's RERA filing. Voice agents that quote "we'll deliver in 18 months" against a project filed for 30-month delivery are a violation.

Brokerage and consideration disclosure. If the caller is a broker, the brokerage structure must be disclosed when asked.

Grievance routing. State-specific; aligned to the RERA's complaint mechanism.

Recording retention. State-variable; 12 months is a defensible default.

Deep dive: see RERA-Compliant AI Calling for Real Estate in India 2026.

How to operationalise multi-regulator compliance

Most enterprises in the BFSI, insurance, and real-estate verticals are running across at least three regulators (DPDP + TRAI + sectoral). The operational pattern that works:

One canonical compliance register. A single source of truth that maps every voice AI campaign to the regulators that apply, the obligations under each, and the platform configuration that enforces them. Don't keep five spreadsheets in five teams.

Compliance enforced at the platform layer, not the campaign layer. Calling-hour gates, DND scrubbing, identity-disclosure templates, recording retention, escalation rules — all enforced by the voice AI platform configuration, not by a campaign manager remembering to set them. Manual enforcement scales linearly with campaigns; platform enforcement scales O(1).

Audit trail that survives a supervisory request. Every call has a recording, a transcript, a classification, the consent context, the script version, and the platform configuration at call time, all queryable on demand. Anything less than this is undefended.

Regular re-review. Regulations move. DPDP rules are still being notified through 2026. RBI's stance on AI calling is tightening. IRDAI is publishing new circulars. A quarterly compliance review against the live deployment is the minimum.

What's coming in 2026–2027

A few directions the regulators are visibly heading. RBI is moving toward explicit guidance on AI in collection calls — expected drafts within 12 months. IRDAI has indicated that AI-driven insurance solicitation will get a sectoral guideline. The DPDP Rules are still being notified in tranches; expect tightening on consent capture for outbound voice through 2026. TRAI is evolving the DLT framework with stronger AI-specific tags.

The enterprises that build the compliance posture into the platform now — rather than retrofitting after the fact — will have material capacity advantage as the rules tighten. The pattern of "we'll fix it when the regulator notifies the rule" is a pattern that produces 6-month operational pauses every time a new circular drops.

Use this map

Print this. Send it to your legal team. Walk through the five questions for each voice AI use case you're piloting or running. Cross-reference the deep-dive guides for the regulators that apply.

If you're choosing a voice AI vendor, the question to ask is not "are you compliant" — every vendor will say yes. The question is "show me, for our use case, which of these five regulators apply, what your platform does to enforce each, and how I can audit that enforcement after the fact." A vendor that has prepared answers to that question is a vendor whose platform is built for the Indian regulatory reality of 2026. Talk to us.

The Voice AI India Regulatory Map 2026: Which Regulator Applies to Your Use Case (DPDP vs TRAI vs RBI vs IRDAI vs RERA)