Gistly
Subscribe to newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Indian contact centers operate under four overlapping regulatory frameworks: the Digital Personal Data Protection Act (DPDP), the Reserve Bank of India Fair Practices Code (RBI FPC), Telecom Regulatory Authority of India (TRAI) calling rules, and the Insurance Regulatory and Development Authority (IRDAI) norms for insurance call centers. Penalties under these frameworks are not theoretical — DPDP alone prescribes fines up to Rs.250 crore per violation. This guide is the single reference for what each framework requires, where they overlap, and how to build defensible audit evidence under all four simultaneously.
This is the canonical pillar across our existing compliance content — see also the DPDP Act compliance guide for DPDP deep-dive, the Indian compliance checklist for operational checklist format, automated debt collection QA for RBI FPC enforcement on collections, and the 2026 call center compliance guide for global context.
Quick reference
The Digital Personal Data Protection Act (2023), with rules notified through 2024-2025, establishes India's first comprehensive personal data protection regime. Every Indian contact center is a "Data Fiduciary" under DPDP because customer calls process personal data — names, account numbers, addresses, financial details, health information.
Purpose-specific consent before recording. Every call recording requires the customer's consent for the specific purpose (quality assurance, training, dispute resolution). Generic "calls may be recorded" disclaimers no longer suffice — the consent must be tied to a stated purpose.
Data Principal rights. Customers have the right to access, correct, and delete their call recordings. Contact centers must build operational workflows for fulfilling these requests within prescribed timeframes (typically 30 days).
Retention limits. Call recordings cannot be retained indefinitely. The retention period must be tied to the consented purpose — once the purpose is fulfilled, recordings must be deleted or anonymized.
Cross-border transfer controls. If recordings are stored or processed outside India, the destination country must be notified by the central government as approved. Most major cloud regions (AWS, Azure, GCP in supported geographies) qualify, but configuration matters.
Security safeguards. Reasonable security practices to prevent unauthorized access. Encryption at rest, access controls, audit logs.
| Violation Category | Maximum Penalty |
|---|---|
| Failure to maintain reasonable security safeguards | Rs.250 crore |
| Failure to notify breach within prescribed timeframe | Rs.200 crore |
| Failure to fulfill Data Principal rights | Rs.50 crore |
| Other DPDP violations | Up to Rs.50 crore |
These are maximums, not actuals — the Data Protection Board adjusts penalties based on severity, intent, and remediation. But Rs.250 crore exposure is real for systemic security failures.
For deeper DPDP coverage, see our dedicated DPDP Act compliance guide.
The RBI Fair Practices Code (FPC) governs how NBFCs and lending institutions interact with borrowers — particularly during collections. The FPC is the single most enforced contact center compliance framework in India in 2026 because of (a) the digital lending boom and (b) high-profile customer complaints about agent conduct.
No harassment or intimidation. Agents cannot use threatening language, abuse, or coercion to recover dues. This includes implicit threats ("we will destroy your CIBIL"), explicit threats ("we will send police"), or repeated calls beyond reasonable hours.
Calling hour restrictions. Collections calls are restricted to 8 AM to 7 PM (in some interpretations 9 AM to 9 PM). Calls outside these hours create separate violations.
Identity and purpose disclosure. Agents must identify themselves and the lending institution at the start of every call. "Hi, this is Amit calling from XYZ Finance regarding your loan account..." is the canonical opening.
Privacy of borrower information. Agents cannot disclose the borrower's default status to third parties — family members, colleagues, references, or anyone other than the borrower themselves.
No misleading statements. Agents cannot misrepresent legal consequences, credit impact, or recovery actions. False claims about police action, court notices, or criminal proceedings are explicit violations.
FPC violations can trigger regulatory action against the NBFC's lending license, not just monetary fines. For FinTechs that depend on their NBFC partnerships or lending license, this is an existential risk. RBI has issued multiple show-cause notices and monetary penalties (typically Rs.5-50 lakh per finding) to NBFCs in 2024-2025.
Operational compliance with FPC requires monitoring every collections call for these conduct rules — sampling 2-5% misses 95% of incidents. Our automated debt collection QA guide covers the implementation pattern for FinTech and NBFC operations.
The Telecom Regulatory Authority of India (TRAI) governs how all commercial calls are placed in India — not just collections. TRAI regulations apply to every outbound contact center operation, including telesales, support callbacks, and follow-ups.
DND Registry compliance. The Do Not Disturb registry lets consumers opt out of commercial communications. Contact centers must scrub their dialing lists against the DND registry before placing calls. Calling a registered DND number for unsolicited commercial purposes is a violation.
Time-of-day restrictions. Commercial calls are restricted to 9 AM to 9 PM (general commercial communication). Specific industries have tighter windows (collections at 8 AM to 7 PM under RBI FPC).
Sender ID transparency. Calls must originate from registered numbers tied to the calling entity. Spoofed CLI (caller ID) or "ghost calling" violates TRAI norms.
Frequency limits. Repeated calls to the same number for the same purpose within short windows (less than 24 hours) violate consumer protection norms even if the original purpose is legitimate.
Consent for marketing communications. Marketing/promotional calls require explicit prior consent (DLT — Distributed Ledger Technology — registration). Sales calls without DLT registration are non-compliant.
TRAI penalties are typically Rs.1,000 to Rs.10,000 per violation but can compound rapidly across a contact center handling 10,000+ outbound calls per day. More significantly, TRAI can direct telecom carriers to block the calling entity's numbers — an operational kill-switch for outbound contact centers.
Carrier-level blocks are the bigger risk for ongoing operations than individual fines. A telesales BPO whose dialer numbers are blocked by Vodafone, Airtel, and Jio simultaneously is functionally out of business until the blocks lift.
The Insurance Regulatory and Development Authority of India (IRDAI) governs all insurance sales and service operations, including contact centers selling or servicing insurance policies.
Mandatory call recording for all sales calls. Every insurance sales conversation must be recorded and retained for the prescribed period (typically 2 years post-policy-end-date). This is regulatory mandate, not optional.
Mis-selling prevention. Agents cannot misrepresent policy features, returns, or coverage. The IRDAI's mis-selling norms prescribe specific verifiable disclosures (sum assured, premium amount, policy term, exclusions) on every sales call.
Solicitor identification. Agents must clearly state their name, IRDAI registration number, and the company they represent. Anonymous or pseudonymous selling is non-compliant.
Need analysis documentation. Before recommending a policy, agents must document the customer's needs and verify the recommendation matches those needs. This is verifiable from call recordings.
Free-look period explanation. Agents must explain the customer's right to cancel within the free-look period (typically 15-30 days post-purchase) without penalty.
IRDAI mis-selling penalties range from Rs.1 lakh to Rs.1 crore per finding, plus potential license suspension for systemic violations. Insurance brokers and corporate agents have lost IRDAI registration over mis-selling patterns identified through customer complaints.
Insurance contact centers need 100% audit coverage to defend against mis-selling allegations — a single sample-based review cannot demonstrate that every sales call followed the prescribed disclosure script.
The four frameworks are not redundant — each addresses different concerns:
| Concern | DPDP | RBI FPC | TRAI | IRDAI |
|---|---|---|---|---|
| Data privacy | Primary | Secondary | No | Secondary |
| Calling hours | No | 8 AM - 7 PM | 9 AM - 9 PM | No |
| Identity disclosure | Indirect | Required | Required | Required |
| Recording requirement | Consent-based | Implicit | No | Mandatory |
| No harassment | No | Primary | No | No |
| Mis-selling | No | No | No | Primary |
| Cross-border data | Primary | No | No | No |
| Customer rights | Primary | Indirect | DND opt-out | Free-look |
A single 5-minute collections call to an insurance customer can simultaneously trigger considerations under all four frameworks. The overlap means compliance can't be siloed — DPDP team, FPC team, TRAI team, and IRDAI team operating in parallel produces gaps.
Manual QA sampling 2-5% of calls cannot meaningfully verify compliance with these frameworks. AI-powered 100% coverage enables specific, framework-mapped detection:
100% coverage means every call is checked against every applicable framework — not a 5% sample. Our Scale QA from 5% to 100% Coverage guide covers the implementation framework, and our automated call scoring post explains the underlying methodology.
Audit DPDP, RBI FPC, TRAI, IRDAI on every call
Gistly's compliance templates ship pre-built. Findings report within 48 hours of kickoff.
Book a DemoWhen regulators investigate, the burden of proof falls on the contact center to demonstrate compliance. Audit evidence under each framework requires:
1. Continuous, not point-in-time. Regulators expect to see compliance evidence across the full audit period (typically 6-24 months), not a snapshot.
2. Per-call traceability. "We had a 92% compliance rate" is weaker than "every call from this period was scored against this scorecard, here is the per-call audit log."
3. Retention aligned to framework. DPDP requires retention tied to consent purpose. RBI FPC and IRDAI specify mandatory retention periods. Audit logs must persist accordingly.
4. Independent attestation. AI-generated evidence with human spot-checking is generally treated as more credible than 100% manual review at scale (because manual review at scale isn't feasible).
5. Trend visibility. Regulators look at improvement trajectories, not absolute scores. "We detected the violation pattern, surfaced it through AI QA on day 1, coached the agent within 48 hours, and verified resolution by day 7" is materially better than "we reviewed three calls last quarter."
100% AI coverage produces all five characteristics by default. Sampling-based QA struggles with #1 and #2 in particular.
Based on aggregated audit findings from Indian BPO compliance reviews:
Top 5 DPDP gaps: 1. Generic "calls may be recorded" disclaimers without purpose specificity (89% of audited operations) 2. Indefinite recording retention with no automatic deletion workflow (73%) 3. No process for fulfilling Data Principal access/deletion requests (61%) 4. Cross-border data transfers without verified country approval status (47%) 5. Weak access controls on recording storage (38%)
Top 5 RBI FPC gaps: 1. Identity disclosure missing in first 30 seconds on more than 5% of collections calls (82%) 2. Calling hour violations during high-volume periods (68%) 3. Third-party disclosure incidents (44%) 4. Threatening language in 1-3% of calls (universal — manifests on AI auditing) 5. Inadequate calibration between in-house and outsourced agency QA standards (multi-vendor operations only)
Top 3 TRAI gaps: 1. DND registry scrubbing not automated (frequent in mid-market) 2. Outbound calls outside 9 AM-9 PM window during shift-change periods 3. DLT registration gaps for marketing campaigns
Top 3 IRDAI gaps: 1. Need analysis documentation incomplete on 15-30% of sales calls 2. Free-look period explanation missing (especially on cross-sell/up-sell) 3. Solicitor IRDAI registration number not verbally stated
These gaps are typical, not exceptional. Most operations face all of them — the difference is whether AI auditing surfaces them within hours or whether they accumulate until a regulatory investigation finds them.
RBI Fair Practices Code is the most actively enforced in 2026 because of digital lending growth and customer complaints about agent conduct. DPDP Act is the largest in penalty exposure but enforcement is still ramping. TRAI is consistently enforced for outbound calling violations. IRDAI is selective but severe when triggered.
Yes if they process Indian residents' personal data. DPDP applies to processing of Indian residents' personal data regardless of where the contact center is physically located. UK or US BPOs serving Indian end-customers must comply with DPDP.
DPDP is broadly inspired by GDPR but with India-specific provisions: localization rules, central government approval lists for cross-border transfers, broader scope of "Data Fiduciary" obligations. GDPR-compliant practices are a strong starting point for DPDP but are not automatically sufficient.
Theoretically yes, practically no at scale. Manual QA reviewing 2-5% of calls cannot verify compliance on the other 95%. When regulators investigate, "we sampled and found nothing" is increasingly treated as inadequate evidence — particularly for DPDP and IRDAI which expect continuous documentation.
All four frameworks apply to AI voicebots and virtual agents the same way they apply to human agents. An AI voicebot handling sales calls must verify IRDAI disclosures, capture DPDP consent, respect TRAI calling hours, and follow RBI FPC norms. Monitoring AI agents for compliance is an additional layer covered in our agentic AI in contact centers guide.
100% AI coverage with per-call timestamped scoring and persistent audit logs produces the strongest evidence. Sampling-based reports are increasingly treated as supporting evidence at best. The combination of AI auditing + weekly human calibration spot-checks is the emerging best practice for defensible compliance posture.
Compliance frameworks apply equally regardless of language. The challenge is that AI auditing platforms must support multilingual transcription accurately — not just for the obvious languages but for Hindi-English code-switching which is universal in Indian operations. Most Western AI QA platforms struggle with Indian language coverage; platforms built around Indian languages (like Gistly) are typically a better fit.
Combined exposure: Rs.250 crore (DPDP) + license risk (RBI FPC for NBFCs) + carrier blocks (TRAI) + Rs.1 crore per finding (IRDAI mis-selling) + brand damage and customer churn. Average finding cost (excluding penalties) for an Indian BPO is Rs.4.7 crore per investigated incident. The cost of 100% AI coverage is materially less than the expected value of a single significant finding.
Glossary terms referenced: IVR · Call Calibration · Dead Air
Ready to audit DPDP, RBI FPC, TRAI, and IRDAI compliance on every call? Request a 48-hour findings report →
Last updated: April 2026
Gistly audits every conversation automatically — compliance flags, QA scores, and coaching insights in 48 hours.