IRDAI CIS Rules: Why OTP-Based Consent Won't Cut It

In December 2025, a consumer forum in Chandigarh ruled against Star Health in a claim dispute.

The insurer had denied a portion of a bariatric surgery claim based on an exclusion clause. 

The forum's rejected the insurers claim, stating that insurers can't enforce an exclusion clause if you can't prove the policyholder ever agreed to it.‍

This is exactly the scenario IRDAI's Customer Information Sheet (CIS) requirement is designed to prevent.

The CIS has been mandatory for health insurance products since January 2024. But most insurers still aren't collecting the acknowledgement the regulation requires.

In this article, we’ll give insurers a full primer on CIS and how to comply digitally with IRDAI’s CIS rules.

What is CIS and who does it apply to?‍

The Customer Information Sheet is a simplified, one-page summary of key policy terms.

IRDAI introduced the revised CIS format to address a persistent problem – policyholders sign up for insurance without understanding what's covered, what's excluded, and what they'll have to pay out of pocket.‍

The CIS requirement applies to:

• All health insurance products
• Personal accident insurance products
• Travel insurance products
• Health plus life combi products
• Non-life package products where health is a component

The entities responsible for providing the CIS include insurers, brokers, corporate agents, web aggregators, and agents. It’s an ecosystem responsibility.

The revised CIS circular has been effective since 1st January 2024.‍

Insurers keep ignoring IRDAI’s CIS acknowledgement rules‍

IRDAI doesn't just require you to provide a CIS.

The circular explicitly requires insurers to obtain an acknowledgement from the policyholder by way of a signature. 

The regulator wants documented proof that the policyholder received the CIS, understood it, and acknowledged it—separate from the proposal form signing process.

What actually happens in practice?

The CIS gets bundled with the proposal form and policy documents => The policyholder clicks through or signs the proposal.

The CIS is technically "sent"—but no separate acknowledgement is collected. The signature field in the CIS stays blank.

Because IRDAI hasn't actively enforced this requirement, insurers have treated CIS acknowledgement as optional.‍

What counts as valid acknowledgement in digital CIS journeys?‍

The CIS format (Annexure A of the IRDAI CIS rules) specifies a signature. This matters for digital journeys.

Under Indian law, if a rule, law or regulation uses the word "signature" then any digital process can only happen via IT Act eSign i.e one of the following 4 types:

• Aadhaar eSign (OTP, biometric, face, or iris-based)
• DSC tokens
• PAN eSign
• DocSigner

What does not qualify as a signature:

• A checkbox ("I agree")
• An OTP sent to the policyholder's phone
• A clickwrap consent

These methods may work for general authentication. They do not meet the legal threshold for a "signature" under the IT Act.

If your current digital journey collects CIS acknowledgement via OTP or checkbox, you are not compliant with the IRDAI requirement.‍

CIS must also be in vernacular‍

The circular also requires that the CIS be provided in a language understood by the policyholder. For a large portion of Indian policyholders – especially in retail health and personal accident segments – this means vernacular Indian languages, not English.

To fully comply, you need:

1. CIS documents available in relevant vernacular languages
2. An eSign and consent interface that supports language selection (just like an ATM)

Absence of CIS can be costly: The Rama Kant Verma case 

Let's return to that December 2025 case we mentioned in the beginning. 

The facts: The complainant's wife underwent bariatric surgery costing Rs 2,25,000. Star Health paid only Rs 69,958—deducting Rs 1,55,042 based on policy exclusions.

The policyholder's argument: He was never supplied, communicated, or explained the exclusion clauses. He didn't know they existed.

What the insurer couldn't produce: Any document showing the policyholder had signed or agreed to the exclusion clauses. The commission found "nothing on record" to prove disclosure.

The ruling: Relying on the Supreme Court's judgment in M/s Modern Insulators Ltd. v. Oriental Insurance Co. Ltd (2000), the forum rejected the insurers claim.

It held that an insurer cannot claim the benefit of exclusion clauses to deny a genuine claim if there's no signature or proof of disclosure.

The argument that won here—"you can't prove I agreed to this"—will be made again in District Consumer Forums and regulatory hearings around the country.

A signed CIS showing the policyholder acknowledged the exclusions in plain language makes that argument much harder to sustain.

How a properly executed CIS protects insurers in disputes

A signed CIS creates three lines of defense:

1. Proof of informed consent. The CIS is designed to be a plain-language summary—not fine print. A signature on the CIS is evidence that the policyholder specifically saw and acknowledged the key terms, including exclusions and deductibles. This directly counters the "I was never told" argument.

2. Eliminates the "fine print" defense. Policyholders often claim they were misled by complex legal language buried in lengthy documents. The CIS format—mandated by IRDAI—is meant to be simple and accessible. A signed CIS shows the policyholder had access to a simplified version.

3. Supports the free look period defense. The CIS highlights the 30-day free look period. A signed acknowledgement strengthens the insurer's position that the policyholder had adequate time to review the terms and cancel if they disagreed.

One more thing: The CIS, if implemented properly,  is also likely to reduce avenues of mis-selling by field agents. Policyholders no longer need to get swayed by fine print when they can read an easy summary of what they are getting into.

Quick implementation checklist

For compliance teams looking to close this gap:

1. Separate the CIS acknowledgement from proposal signing. The CIS should be a distinct step with its own signature—not bundled into a single OTP flow.
2. Use IT Act-compliant eSign for digital journeys. Aadhaar eSign is the most accessible eSign option. OTP-based clickwrap is not sufficient.
3. Offer vernacular language options. Build language selection into your flow. The CIS document and signing interface should both support vernacular languages.
4. Store the signed CIS as a retrievable record. You need to be able to produce this document in an audit or dispute. Ensure that the CIS is automatically linked to the policy record in your PAS after it is eSigned
5. Audit your current process. Check whether your existing CIS flow actually collects a signature—or just sends the document without acknowledgement.

‍

How Leegality can help with IRDAI-compliant digital CIS

Leegality's document infrastructure platform supports compliant CIS acknowledgement workflows:

• You can use Aadhaar eSign (OTP, biometric, face, or iris) to capture policyholder signatures. 
• Our eSign journey can be completed in 12 vernacular languages 
• Connects with your PAS, ERP and Claims Systems in less than a week with minimal IT/tech involvement

‍Disclaimer: This article is for informational purposes and does not constitute legal advice. Consult your legal team for specific compliance decisions.