TLDR: IRDAI's Video Based Identification Process (VBIP) mandates live video verification for remote insurance customer onboarding in India. InsurTech companies must build compliant real-time video infrastructure, capture geo-tagged consent, record sessions, and maintain auditable storage to pass regulatory scrutiny.
Introduction
India's insurance sector processed over 500 million policies as of recent IRDAI annual reports, and a growing share are issued through digital channels. That shift created a verification gap, how do insurers confirm a remote applicant's identity without physical presence?
IRDAI VBIP compliance InsurTech companies must achieve closes that gap. The Insurance Regulatory and Development Authority of India introduced the Video Based Identification Process as a structured, auditable alternative to in-person KYC. Getting it wrong carries consequences ranging from policy issuance blocks to licensing risk.
This guide covers every layer of VBIP compliance: the regulatory framework, process flow, technical architecture, a compliance checklist, operational metrics, and common implementation mistakes.
What is IRDAI VBIP?
Video Based Identification Process (VBIP): VBIP is an IRDAI-mandated procedure through which an insurer or its authorised intermediary conducts a live, recorded video interaction with a prospective policyholder to verify identity, confirm document authenticity, and capture informed consent before issuing a policy remotely.
KYC (Know Your Customer): KYC is the regulatory requirement for financial institutions to verify the identity and address of their customers before onboarding. VBIP is the video-first mechanism through which insurance KYC is completed in digital channels.
VBIP applies across life, general, and health insurance product lines wherever the customer is not physically present at a branch, and its protocols are increasingly relevant for secure, remote insurance claim settlement. It is not optional for digital-first onboarding. It replaces the earlier requirement for wet-ink signatures or in-person document submission when conducted correctly.
IRDAI introduced VBIP as part of broader IRDAI onboarding guidelines aimed at reducing fraud in digital insurance distribution. The process mirrors the video KYC framework established by RBI for banking, but with insurance-specific adaptations including policy-linked consent capture and insurer-side storage obligations.
Regulatory context and legal framework
Who must comply with VBIP?
Any entity licensed by IRDAI that onboards customers remotely must comply with VBIP rules. This includes:
- Life insurers
- General insurers
- Health insurers
- Insurance Web Aggregators (IWAs)
- Insurance Marketing Firms (IMFs)
- Corporate agents operating digital channels
InsurTech platforms that act as intermediaries or technology providers to the above entities are operationally bound by VBIP requirements even if they are not the licensed entity. If your platform initiates, manages, or records the verification session, you are within scope.
Relationship with AML, KYC, and Aadhaar frameworks
VBIP does not stand alone. It intersects with three adjacent regulatory systems:
Anti-Money Laundering (AML) rules: The Prevention of Money Laundering Act (PMLA) and IRDAI's AML guidelines require insurers to conduct customer due diligence (CDD) before policy issuance. VBIP serves as the CDD mechanism for digital channels. Any VBIP implementation must feed into the insurer's AML compliance record.
KYC norms under IRDAI: IRDAI's VBIP KYC insurance India framework specifies Officially Valid Documents (OVDs) that must be captured during the video session. These include Aadhaar, PAN, passport, voter ID, and driving licence.
Aadhaar-based verification: Where customers consent, Aadhaar-based verification via UIDAI's authentication infrastructure can supplement VBIP. Aadhaar XML or DigiLocker-fetched documents may be used. Any use of Aadhaar data must comply with UIDAI guidelines. Refer to official IRDAI guidelines for the current circular on permissible OVDs.
VBIP process flow
The insurance video verification process follows a structured sequence. Deviation at any step creates compliance gaps.
Step-by-step process
1. User initiation The customer triggers the VBIP flow through the insurer's app or web platform. The system confirms device compatibility, checks network adequacy, and verifies that the session is initiated only during permitted hours. IRDAI requires VBIP sessions to occur only during business hours (currently 9 AM to 6 PM IST) to ensure an authorised official is present on the insurer's side.
2. Consent capture Before any video session begins, the platform must capture explicit, informed digital consent from the customer. Consent must cover: identity verification, session recording, data storage, and use of the captured information for policy issuance. Consent must be timestamped and stored as part of the audit record.
3. Live video session A trained, authorised official from the insurer or its agent conducts a live interaction. This is not a pre-recorded or automated flow, a human must be present on the insurer's side. The official must:
- Confirm the customer's live presence through randomised questions or gestures
- Request display of the OVD to the camera
- Read and confirm key details aloud during the session
4. Document validation The official visually verifies the OVD displayed on camera. The system simultaneously captures a clear frame of the document for record. AI-assisted frame extraction may be used for clarity, but final validation responsibility rests with the authorised official.
5. Geo-tagging The customer's location at the time of the session must be geo-tagged and recorded. This confirms the customer is physically present in India and assists in fraud detection. Sessions initiated from outside India must be flagged or rejected depending on the insurer's policy.
6. Recording and storage The full session must be recorded end-to-end at sufficient resolution to allow retrospective review. Recording must capture both sides of the interaction. Storage must meet IRDAI's data retention requirements, typically five years minimum.
7. Audit trail generation Every VBIP session must produce a complete audit record including: session ID, timestamp, official's ID, customer ID, OVD type captured, geo-tag, consent log, and recording reference. This record feeds the insurer's compliance system and must be retrievable on IRDAI request.
Technical architecture for VBIP
What technical infrastructure does a VBIP system require?
Digital KYC insurance India implementations require a multi-layer technical stack. Each layer has specific compliance implications.
Core infrastructure layers
Real-time video infrastructure: The video layer must support low-latency, high-reliability peer-to-peer or server-mediated video. WebRTC is the standard protocol for this. The infrastructure must handle concurrent sessions without degrading video quality, since frame clarity directly affects document readability during the session.
Latency requirements are strict: sessions with persistent lag above 500ms create failed verification events where officials cannot reliably assess liveness or read documents. Video KYC insurance compliance implementations should target sub-300ms round-trip latency under normal network conditions.
Platforms like VideoSDK provide WebRTC-based real-time video infrastructure with session recording built in, which reduces the engineering complexity of building a compliant VBIP layer from scratch. Their developer documentation covers session management APIs relevant to compliance recording scenarios.
Session recording Recording must begin automatically at session start and end only after the official formally closes the session. Gaps in recording invalidate the audit trail. The recording pipeline must write to immutable or append-only storage with checksum verification to detect tampering.
Liveness and fraud detection The system must support detection of:
- Spoofing attempts (printed photographs, displayed screens held to the camera)
- Passive liveness checks (eye-blink detection, micro-movement analysis)
- Injection attacks (pre-recorded video feeds replacing live camera input)
AI-assisted liveness detection can be integrated as a signal layer, but it does not replace the mandatory human official on the insurer's side.
Geo-location capture The customer device must request location permission at session initiation. Coordinate data is attached to the session record. If the customer denies location permission, the session must not proceed, IRDAI geo-tagging is non-optional.
Backend and compliance storage Session metadata, consent logs, geo-tags, document frames, and recording references must be stored in an encrypted, access-controlled backend. Storage must be in India (data localisation) unless IRDAI specifically permits otherwise. Retention: minimum five years from session date.
VBIP compliance framework
The five-category VBIP compliance checklist for InsurTech
The following framework organises your compliance obligations into auditable categories.
Category 1: Customer consent Every VBIP flow must obtain, record, and store explicit consent before the video session begins. Consent must reference the specific purpose, duration of data storage, and customer rights.
Category 2: Video interaction rules Sessions must occur during permitted hours, be conducted by a trained and authorised official, include liveness confirmation, and capture OVD display on camera.
Category 3: Data capture The system must capture: customer face frame, OVD frame, geo-coordinates, session timestamp, official identity, and session duration.
Category 4: Storage requirements All captured data must be encrypted at rest, stored in India, retained for a minimum of five years, and accessible only to authorised compliance personnel and IRDAI.
Category 5: Audit readiness Every session must generate a structured audit record retrievable by session ID, customer ID, date range, and official ID. Audit records must be producible within 24 hours of an IRDAI request.
Compliance checklist
| Requirement | Description | Mandatory | Risk if missed |
|---|---|---|---|
| Business hours restriction | VBIP sessions only between 9 AM and 6 PM IST | Yes | Session invalidation, policy void risk |
| Authorised official present | A trained, licensed insurer official must conduct the session | Yes | Non-compliant onboarding, regulatory action |
| Explicit digital consent | Timestamped consent before session start | Yes | Audit failure, PMLA violation |
| OVD captured on camera | Official must visually verify and frame-capture the document | Yes | KYC gap, policy issuance block |
| Liveness confirmation | Randomised gesture or question to confirm live presence | Yes | Fraud liability, audit failure |
| Geo-tagging | Customer coordinates captured and stored | Yes | Audit failure, session invalidation |
| End-to-end recording | Full session recorded with no gaps | Yes | Complete audit trail loss |
| Encrypted storage | Session data encrypted at rest and in transit | Yes | Data breach liability, IRDAI penalty |
| Data localisation | All data stored on servers located in India | Yes | Regulatory non-compliance |
| Five-year retention | Session records retained for minimum five years | Yes | Audit non-producibility penalty |
| Audit trail generation | Structured record per session with all metadata | Yes | Regulatory reporting failure |
| Official identity logged | ID of conducting official recorded per session | Yes | Accountability gap |
| Session ID assignment | Unique identifier per VBIP session | Yes | Audit traceability failure |
| Tamper-evident storage | Checksum or immutable storage for recordings | Recommended | Evidence admissibility risk |
| AI liveness layer | Automated spoofing detection as supplementary signal | Recommended | Fraud exposure |
Consequences of non-compliance
What happens if an InsurTech fails VBIP compliance?
Non-compliance with IRDAI VBIP compliance InsurTech requirements carries consequences across four dimensions.
Regulatory penalties: IRDAI may issue directions, monetary penalties, or corrective action orders against licensed entities. Penalties under the Insurance Act can extend to significant fines per violation and per day of continued violation.
Licensing impact: Persistent non-compliance can trigger licence review proceedings. For InsurTech platforms operating as intermediaries, the licensed entity (insurer or IWA) they serve may be compelled to terminate the technology arrangement to protect their own licence.
Policy issuance risk: Policies issued on the basis of non-compliant VBIP sessions carry a risk of being declared void. This creates both customer liability and insurer balance sheet exposure.
Audit failures: IRDAI conducts periodic audits of insurer onboarding systems. An incomplete audit trail, missing geo-tags, recording gaps, absent consent logs, results in adverse audit findings that must be publicly disclosed and remediated under regulatory supervision.
Metrics and operational benchmarks
Compliance is not only about meeting requirements at initial implementation. Operations teams must monitor ongoing performance to detect drift.
| Metric | Definition | Target benchmark |
|---|---|---|
| Verification success rate | Sessions completed with full compliant data capture | Above 92% |
| Session failure rate | Sessions terminated due to technical error | Below 5% |
| Drop-off rate | Customers who initiate but do not complete VBIP | Below 15% |
| Average verification time | End-to-end session duration from consent to close | 5 to 10 minutes |
| Audit producibility rate | Audit records retrievable within 24 hours on request | 100% |
| Geo-tag capture rate | Sessions with valid geo-coordinates attached | 100% |
| Recording completeness | Sessions with unbroken end-to-end recording | Above 99% |
Any metric falling outside these ranges should trigger an immediate technical and process review. The audit producibility rate and recording completeness must be maintained at 100%, partial records have no value in an IRDAI audit.
Common mistakes in VBIP implementation
1. Treating VBIP as automated video KYC VBIP requires a live, authorised human official on the insurer's side. InsurTechs that build fully automated flows, even with excellent AI liveness detection, fail this requirement. The official is not optional.
2. Missing geo-tag capture on certain devices Some customer devices deny location permissions by default, or GPS is unavailable in specific environments. The system must hard-block session progression if geo-location cannot be captured, not silently log a null value.
3. Recording gaps at session boundaries Recording failures most commonly occur at the start and end of sessions due to connection negotiation delays. If recording begins 10 seconds after consent capture, that gap is a compliance deficiency. Buffer the recording start before the live session frame appears.
4. Inadequate storage encryption Storing session recordings in S3-equivalent object storage without key management, access logging, or tamper detection is insufficient. IRDAI expects controls that would survive legal discovery and withstand a forensic audit.
5. No structured audit record per session Storing recordings and metadata in separate systems without a single retrievable audit record per session ID creates retrieval delays. When IRDAI requests a specific session's records, every component, consent log, geo-tag, OVD frame, recording, official ID, must be producible together within 24 hours.
Key takeaways
- VBIP is mandatory for all digital insurance onboarding in India; it cannot be replaced by purely automated flows.
- A trained, authorised insurer official must be present on video for every session.
- Geo-tagging is non-optional; sessions without valid coordinates must not proceed.
- All session data must be stored encrypted, in India, for a minimum of five years.
- Audit trail completeness is the most common failure point in IRDAI audits, structure your compliance record at session level, not component level.
FAQ
What is the difference between VBIP and video KYC in banking?
Both are live video identification processes, but VBIP is governed by IRDAI while banking video KYC falls under RBI's Master Direction on KYC. VBIP has insurance-specific requirements such as policy-linked consent and insurer-side authorised official presence. The underlying technology layer is similar, but the compliance obligations differ by regulator.
Can an InsurTech platform conduct the VBIP session on behalf of the insurer?
An InsurTech can provide the technology platform and may have the session conducted by an authorised agent or intermediary, but the conducting official must be authorised by the licensed insurer. The insurer retains regulatory accountability. Refer to the official IRDAI guidelinces for the specific permissible delegation arrangements.
Is Aadhaar-based eKYC a substitute for VBIP?
Aadhaar-based eKYC via OTP or biometric can satisfy identity verification requirements in some contexts, but VBIP is specifically required for remote policy issuance where the customer is not physically present. The two mechanisms address overlapping but distinct requirements. Always verify which is applicable for your specific product type with your compliance counsel.
What are the permitted hours for conducting VBIP sessions?
IRDAI requires VBIP sessions to occur during business hours, currently 9 AM to 6 PM IST. Sessions initiated outside these hours must be blocked at the platform level. Refer to the official IRDAI guidelines at for any updates to this window.
How long must VBIP session recordings be retained?
IRDAI mandates a minimum retention period of five years from the session date. Some insurers apply a longer retention period (up to ten years) aligned to their broader policy record retention policy. Storage must be encrypted and tamper-evident.
What document types are acceptable as OVDs during a VBIP session?
Officially Valid Documents include Aadhaar card, PAN card, passport, voter ID, and driving licence. The customer must physically display the document to the camera during the live session. Soft copies displayed on a screen are not acceptable as they cannot be validated for authenticity.
How should a session be handled if the video connection drops mid-session?
A dropped connection invalidates the session. The customer must restart the full VBIP flow from the consent capture stage. Do not attempt to resume a partial session, the recording gap creates an irreparable audit deficiency. The system should detect disconnection, terminate the session, log the failure reason, and prompt restart.
What is the insurer's liability if a fraudulent customer passes VBIP?
The insurer remains liable for any policy issued on the basis of a fraudulent identity, but a documented, compliant VBIP process significantly reduces regulatory exposure. Regulators assess whether the insurer followed required procedures, not whether fraud was prevented in every case. A compliant process with proper audit records is the defence.