IRDAI Insurance Fraud Monitoring Framework Guidelines: What Legal Teams Must Know

The Insurance Regulatory and Development Authority of India released the Insurance Fraud Monitoring Framework Guidelines on 9 October 2025. These Guidelines come into force on 1 April 2026 and replace the IRDAI Fraud Monitoring Framework circular that had governed the sector since January 2013.

The shift is significant. The 2013 circular was a basic directive. The 2025 Guidelines are a comprehensive governance framework that places fraud prevention at board level, extends accountability across the entire insurance distribution chain, and mandates specific structures, processes, reporting timelines, and documentation standards that insurers and distribution channels must put in place.

This article explains what the Guidelines require, who they apply to, how they differ from the 2013 framework, and what legal and compliance teams at insurers need to do to meet the April 2026 deadline.

Background: Why IRDAI Revised the Fraud Framework

The 2013 circular was issued when India’s insurance sector looked very different. Digital insurance distribution barely existed. The volume and sophistication of fraud has changed substantially in the years since.

Industry estimates suggest that approximately 15% of health insurance claims in India contain some element of fraud. The nature of fraud has also shifted, with cyber fraud, phishing, fake insurance portals, and coordinated fraud rings becoming significant threats that the 2013 framework was not designed to address.

The objective of the new Guidelines is to establish a robust regulatory framework to effectively deter, prevent, detect, report, and remedy fraud risks across the insurance sector. The framework moves from a reactive, siloed approach to a proactive, governance-intensive model where fraud prevention is a board-level responsibility with cross-organisational accountability.

Who the Guidelines Apply To

The Guidelines apply to all insurers, reinsurers, and distribution channels, including insurance intermediaries. The 2013 circular’s application was limited to insurers and reinsurers.

This extension to distribution channels is one of the most significant changes. Corporate brokers, web aggregators, bancassurance partners, motor garages, hospitals, and individual agents are all now within the scope of the framework. Every participant in the insurance value chain has obligations under the Guidelines, not just the insurers themselves.

The Five Fraud Categories

Frauds are classified into five categories: Internal Fraud involving internal staff including employees and senior management; Distribution Channel Fraud involving distribution channels; Policyholder or Claims Fraud; External Fraud; and Affinity or Complex Fraud.

Understanding these categories is important because reporting obligations, investigation procedures, and escalation timelines differ across them. Every suspicious event must be classified into one of these five heads for quarterly and annual returns to the board and to IRDAI.

Internal Fraud covers fraud committed by employees, officers, or senior management of the insurer. This includes misappropriation, manipulation of records, and collusion with external parties.

Distribution Channel Fraud covers fraud committed by agents, brokers, web aggregators, bancassurance partners, and other intermediaries. Given that distribution channels are now within the scope of the Guidelines, insurers are responsible for monitoring and reporting fraud by the channels they engage.

Policyholder or Claims Fraud covers fraudulent claims, misrepresentation at the time of policy issuance, and manipulation of claim documentation by policyholders. The Guidelines encourage the use of behavioural analytics to detect unusual claim patterns and identify repeat offenders.

External Fraud covers fraud by vendors, hospitals, garages, and third parties who are not part of the distribution chain.

Affinity or Complex Fraud covers coordinated fraud involving two or more parties acting in collusion. This includes organised fraud rings and schemes that cut across multiple categories.

Governance Structure: The FMC and FMU

The governance requirements are the most operationally demanding aspect of the new framework.

Fraud Monitoring Committee

Every insurer must establish a Fraud Monitoring Committee headed by a Key Management Personnel, independent of internal audit.

The Fraud Monitoring Committee is staffed by senior heads of underwriting, claims, legal, and technology. The committee can set up sub-groups, but it cannot harbour conflicts of interest. Its mandate includes recommending fresh controls when fraud patterns change, responding to every suspicion within pre-agreed timelines, maintaining a forensic trail of evidence, sharing intelligence with peers, law enforcement, and the Insurance Information Bureau, and conducting an annual comprehensive fraud risk assessment.

The independence requirement is particularly significant. The FMC must not be absorbed into the internal audit function. It must have its own reporting line, its own mandate, and its own accountability structure.

Fraud Monitoring Unit

In addition to the FMC, insurers must establish a Fraud Monitoring Unit. The FMU is the operational arm that handles day-to-day fraud detection, investigation, and reporting. Like the FMC, it must be independent of internal audit.

Board-Approved Anti-Fraud Policy

A board-approved Anti-Fraud Policy forms the core of the Fraud Risk Management Framework, reviewed by the board annually. The Policy must include red flag indicators, procedures to detect and report fraud, defined responsibilities and delegation of authority, timelines for investigation, whistleblower protection mechanisms, due diligence for recruitment and vendor engagement, and provisions for dealing with non-compliance.

The annual review requirement means this is not a one-time exercise. The policy must be updated to reflect changes in the insurer’s business profile, product mix, technology stack, and distribution model, as well as emerging fraud trends.

Red Flag Indicators

The Guidelines require insurers to develop and maintain a set of Red Flag Indicators specific to their business. These are signals that suggest a transaction, claim, or relationship may involve fraud and should trigger enhanced scrutiny.

Red Flag Indicators must be continuously refined based on past fraud incidents, emerging trends, and intelligence shared through the Insurance Information Bureau. The framework treats fraud prevention as a dynamic process, not a fixed set of rules. What constituted a red flag in 2013 does not necessarily reflect the fraud patterns of 2026, and the RFI set must evolve accordingly.

For policyholder and claims fraud, RFIs may include unusual claim frequency, claims filed shortly after policy issuance, inconsistencies between claim documentation and policy terms, or patterns that match known fraud typologies. For distribution channel fraud, RFIs may include unusual commission structures, policy issuance patterns inconsistent with the agent’s historical profile, or lapse and reinstatement patterns that suggest manipulation.

Reporting Requirements and Timelines

The reporting obligations under the new framework are significantly more structured than under the 2013 circular.

To law enforcement: Insurers must notify law enforcement agencies without delay when a fraud is discovered and legal reporting is warranted.

To IRDAI: Any fraud involving a distribution channel registered with IRDAI must be reported to the regulator immediately. Annual returns in Form FMR-1 must be filed with IRDAI within 30 days of the close of the financial year.

To the board: The FMC must report quarterly to the Risk Management Committee, covering incidents, financial impact, and corrective steps. The annual fraud risk assessment must be placed before the board. Every instance of internal fraud must be simultaneously reported to the audit committee.

To the Insurance Information Bureau: Fraud data must be shared with the IIB to contribute to the national fraud database. The IIB compiles these reports to allow insurers to identify patterns, repeat offenders, duplicate claims, and coordinated fraud rings across the industry.

These timelines are not aspirational. They are binding obligations, and failure to meet them constitutes non-compliance with the Guidelines.

The Insurance Information Bureau and the National Fraud Database

One of the most significant structural changes in the new framework is the creation of a centralised fraud intelligence ecosystem through the IIB.

Under the 2013 framework, fraud data sat within individual insurers. There was no systematic mechanism for sharing intelligence across the industry. A fraudster who successfully made a fraudulent claim with one insurer faced no barrier to attempting the same with another.

The new framework changes this by requiring all insurers to report fraud data to the IIB, which compiles it into a national database. This database allows cross-referencing of claims, identification of repeat offenders, detection of duplicate claims, and recognition of coordinated fraud patterns that would not be visible from within any single insurer’s data.

For legal and compliance teams, this means that the quality and completeness of the fraud data an insurer contributes to the IIB is both a regulatory obligation and a factor in the quality of the intelligence the insurer receives in return.

Cyber Fraud as a Distinct Category

For the first time, cyber fraud has been recognised as a distinct category of financial crime within the insurance ecosystem, reflecting the growing threat of digital scams targeting customers through phishing, hacking, and online impersonation.

This recognition has practical implications for insurers’ fraud monitoring frameworks. Red Flag Indicators, investigation procedures, and reporting protocols need to address cyber fraud specifically, not just treat it as a subcategory of external fraud. Insurers with significant digital distribution channels face particular exposure to cyber fraud, and their FRM Framework needs to reflect this.

The Guidelines also respond to the emergence of fake insurance portals that impersonate IRDAI or licensed insurers. Monitoring for these threats and coordinating with IRDAI and law enforcement when they are identified is part of the obligations the framework places on insurers.

What Has Changed from the 2013 Framework

The 2025 Guidelines differ from the 2013 circular in several material ways.

Scope: The 2013 circular applied only to insurers and reinsurers. The 2025 Guidelines extend to all distribution channels.

Governance: The 2013 circular referenced fraud monitoring cells. The 2025 Guidelines mandate a formally constituted FMC headed by a KMP, independent of internal audit, with specific reporting lines to the Risk Management Committee, audit committee, and board.

Fraud categories: The 2025 Guidelines introduce a standardised five-category taxonomy that must be used in all regulatory reporting. The 2013 framework did not have an equivalent classification system.

Reporting timelines: The 2025 Guidelines specify compressed and binding timelines for reporting to law enforcement, IRDAI, and the IIB. The 2013 circular’s reporting requirements were less prescriptive.

Cyber fraud: The 2025 Guidelines explicitly recognise cyber fraud. The 2013 circular predated the current scale of digital distribution and did not address cyber fraud as a distinct threat.

Annual board review: The anti-fraud policy must be reviewed and approved by the board annually. The 2013 framework did not mandate annual board-level review.

What Legal and Compliance Teams Need to Do Before April 2026

With the Guidelines effective from 1 April 2026, insurers that have not yet begun implementation are working against a short timeline. The following steps are the most immediate priorities.

Establish the FMC and FMU. The governance structure needs to be in place before the effective date. This means identifying the KMP who will chair the FMC, constituting the committee with representation from underwriting, claims, legal, and technology, and establishing the FMU as a separate operational unit independent of internal audit.

Draft and obtain board approval for the Anti-Fraud Policy. The policy needs to be specific to the insurer’s business profile, product mix, and distribution model. It must cover all elements the Guidelines require, including RFIs, investigation timelines, whistleblower protections, and escalation procedures. Board approval must be obtained before the effective date, and a process for annual review must be built into the governance calendar.

Develop the Red Flag Indicator set. RFIs need to be developed for each fraud category relevant to the insurer’s operations. For insurers with complex distribution networks, this includes RFIs specific to distribution channel fraud.

Set up IIB reporting processes. The technical and operational processes for submitting fraud data to the IIB need to be in place before April 2026. This includes defining who is responsible for submissions, what data needs to be captured, and how it will be formatted and transmitted.

Review distribution channel agreements. Since distribution channels are now within the scope of the framework, the agreements between insurers and their distribution channels need to be reviewed to ensure they reflect the fraud monitoring obligations the Guidelines impose. Agents, brokers, and bancassurance partners need to be contractually bound to the insurer’s anti-fraud requirements, and the insurer needs audit rights over their compliance.

Prepare for Form FMR-1 filing. The annual return must be filed within 30 days of the close of the financial year. Insurers need to ensure they have the data capture processes in place to complete this return accurately and on time.

Conclusion

The IRDAI Insurance Fraud Monitoring Framework Guidelines represent a fundamental change in how fraud governance is structured across India’s insurance sector. The extension to distribution channels, the mandatory board-level governance structure, the standardised fraud taxonomy, the compressed reporting timelines, and the integration with the IIB’s national database together constitute a compliance framework that is significantly more demanding than what was required under the 2013 circular.

For legal and compliance teams, the April 2026 deadline is not far away. The governance structure, the board-approved policy, the RFI set, the reporting processes, and the distribution channel contractual arrangements all need to be in place before the Guidelines come into force. Treating this as a documentation exercise rather than a governance transformation is the most common implementation error, and the one most likely to result in non-compliance that is visible to the regulator.

Frequently Asked Questions