Is AI Voice Calling RBI-Compliant? A Lender's Guide to Fair Practices Code + Voice AI

Every Indian lender asking about voice AI for collections asks the same first question: "Is this even legal?" The short answer is yes — with specific, well-defined guardrails. This is a practitioner's guide to what the rules actually say and how to configure a voice AI agent to comply.

Disclaimer up front: We build voice AI — we are not your lawyer. Everything below is our reading of the public regulations. Your compliance and legal teams must review any specific deployment before launch. Use this as a starting framework, not as a legal opinion.

Which regulations apply?

Five main frameworks govern voice AI calling for lenders in India:

1. RBI Master Direction — Fair Practices Code — governs how lenders (banks, NBFCs, fintechs) can contact borrowers. Applies to the conduct of the call regardless of whether a human or AI is speaking.
2. RBI Guidelines on Digital Lending — governs digital lender conduct, DLG arrangements, and recovery practices.
3. TRAI DLT (Distributed Ledger Technology) regulations — govern commercial voice calls, sender ID registration, header templates, and do-not-disturb (DND) lists.
4. Digital Personal Data Protection Act (DPDP Act, 2023) — governs how personal data (borrower PII, transaction history, voice recordings) can be collected, processed and stored.
5. TRAI TCCCPR (Telecom Commercial Communications Customer Preference Regulations) — governs call timing, frequency limits and opt-out handling.

What the RBI Fair Practices Code actually requires

The relevant sections of the RBI Master Direction on Fair Practices Code set out specific requirements for collections and customer contact. In plain English:

• Identity disclosure. The caller (human or AI) must identify themselves and the lender at the start of the call.
• Purpose disclosure. The reason for the call must be stated upfront — "I am calling regarding your credit card payment" or similar.
• Civil and dignified conduct. No abusive language, no threats, no intimidation. This applies equally to automated and human calls.
• Timing restrictions. Collections calls are generally restricted to reasonable hours (typically 08:00 to 19:00 IST), avoiding early morning, late evening, and unsocial hours.
• Frequency limits. No excessive or harassing call frequency. Borrowers can request a specific contact window.
• Privacy at verification. Account-specific information must not be disclosed to anyone other than the verified borrower.
• Callback honoring. If a borrower asks to be called back at a specific time, that request must be honored.
• Grievance redressal. Borrowers must be given a way to raise a complaint with the lender.

Does this apply to AI voice agents?

Yes. RBI guidance is about the conduct of the call, not the caller's biology. If the call is being made on behalf of a lender for a commercial purpose (collections, customer servicing, sales), the Fair Practices Code applies regardless of whether the voice is human or synthetic. An AI agent that violates any of the rules above exposes the lender to the same enforcement action a human agent would.

The practical consequence: you must be able to prove that your AI agent follows every rule — through system prompts, guardrails, recording retention, and audit trails.

How to configure a voice AI agent for compliance

1. Identity and purpose disclosure — baked into the opening

Every outbound call must open with the lender's identity, the AI agent's identity, and the purpose of the call. On ThinnestAI, this is enforced by a locked "greeting" node that cannot be skipped in the flow editor:

"नमस्ते, मैं [Lender Name] की ओर से आपकी [Product] के बारे में बात करने के लिए कॉल कर रही हूँ। क्या यह बात करने का सही समय है?"

Hindi, Marathi, Tamil and other regional-language variants of this opening should be reviewed by a native-speaker compliance reviewer before launch.

2. Timing windows — hard-enforced, not script-dependent

Collections calls must only go out during permitted hours. ThinnestAI's outbound scheduler enforces a hard timing window at the queue level — set to 08:00–19:00 IST by default. Calls outside the window do not dial, period. The flow editor cannot override this without explicit compliance sign-off.

3. Identity verification before account disclosure

The agent must verify the borrower's identity before disclosing any account-specific information. Standard practice is a non-sensitive identifier (last 4 digits of the registered mobile, city of record, registered email first letter) — not full card number, full DOB or any full PII. The flow editor has a dedicated "identity verification" node with approved patterns and automatic recording pause on sensitive utterances.

4. Civil, scripted objection handling

The hardest part of collections is objection handling. Human agents sometimes drift into pressure tactics when borrowers are evasive. An AI agent will do exactly what you tell it — which means your system prompt and flow design are your compliance. On ThinnestAI we ship default objection-handling scripts that are explicitly non-coercive, and our safety layer detects and blocks any attempt to generate threatening or abusive language.

5. Callback honoring

If the borrower says "call me tomorrow at 4pm," the agent must schedule that callback and actually honor it. This is a first-class feature of ThinnestAI's outbound scheduler — structured callback capture, automatic re-queue at the requested time, and a suppress-before-callback-time lock.

6. Recording retention

Every call must be recorded in full, with encrypted storage and a retention period that matches your compliance requirement. RBI audits can request recordings going back several months. ThinnestAI's default retention is 6 months, configurable up to 24+ months for regulated lenders.

7. Grievance path

The agent must offer a grievance escalation path — a way for the borrower to raise a concern. This is typically a "press 0 to speak to a human agent" or an explicit phrase like "अगर आपको कोई शिकायत है, मैं आपको एक मानव अधिकारी से जोड़ सकती हूँ." Bake this into every collections flow.

TRAI DLT — the other half of compliance

RBI governs the content of the call. TRAI DLT governs the transport. Every commercial voice call in India must be made from a DLT-registered sender ID, with the message template (for voice, the opening disclosure) pre-registered on the DLT platform. The caller must respect the National Customer Preference Register (NCPR / DND list).

On ThinnestAI you handle DLT compliance by BYO phone numbers — bring a DLT-registered Twilio or Vobiz number with your existing registrations. The platform does not register numbers for you; your carrier handles that. Our role is to make sure the dialing layer respects DND lists and your approved templates.

DPDP Act — data handling

The DPDP Act (2023) classifies borrower PII (name, address, phone, financial account details) as personal data. The lender is the data fiduciary; ThinnestAI is a data processor. Key requirements:

• Purpose limitation: data collected for collections can only be used for collections, not repurposed for cross-sell without fresh consent.
• Retention limits: configurable per use case; default 6 months for ThinnestAI recordings.
• Data minimization: do not collect more than you need. Voice agent transcripts should be redacted for sensitive fields (full card numbers, CVVs) automatically.
• Data residency: ThinnestAI stores Indian voice data in Mumbai region (GCP asia-south1) by default.
• Right to erasure: borrowers can request deletion of their personal data. The platform supports programmatic erasure via webhook.

What compliance teams typically ask about

"Can AI voice agents really do this?"

Yes. The rules apply to conduct, not caller type. A well-configured voice AI agent is often more compliant than a human telecaller because it follows the script exactly 10,000 times in a row. Humans drift, especially late in long shifts.

"What if the agent says something wrong?"

Multi-layer safety. System prompt constraints, a runtime safety classifier that blocks abusive or threatening language, full call recording for audit, and a hard-coded human-escalation path when the agent detects distress or abuse. For high-stakes flows (OTS / settlement), we recommend pairing the AI agent with mandatory human QA on a sample of calls.

"How do we audit this?"

ThinnestAI produces per-call audit records with: full transcript, recording URL, outcome code, flow version ID, system prompt version, and compliance tags. For RBI audits, the compliance team can filter and export recordings by date, product, outcome, or any tag. The audit trail is tamper-evident.

"What if a borrower files a complaint?"

Standard grievance redressal. The lender is the data fiduciary and is responsible for responding within RBI timelines. ThinnestAI produces the full call recording, transcript, and outcome record for any disputed call — usually within minutes of the request.

The one-page compliance checklist

• ☐ System prompt enforces identity disclosure in the opening
• ☐ Timing window hard-enforced at the scheduler level (08:00–19:00 IST default)
• ☐ Non-sensitive identity verification before any account disclosure
• ☐ Non-coercive, approved objection-handling scripts
• ☐ Structured callback capture with automatic re-queue
• ☐ Full call recording with configurable retention
• ☐ Grievance escalation path in every flow
• ☐ BYO DLT-registered sender ID via Twilio / Vobiz
• ☐ DND list check before every outbound dial
• ☐ DPDP-compliant data residency (Mumbai region)
• ☐ Sensitive field redaction in transcripts and logs
• ☐ Per-call audit records with flow and prompt version tags

Where to start

If you're a lender evaluating voice AI for collections, the right first step is a pilot on a single product and a single language — usually first-party credit card EMI reminders in Hindi or Marathi. Pilot for 2–4 weeks with daily compliance review, then expand. Read our debt collections voice AI playbook for the full deployment guide, or try the live agent demo to hear the default flow yourself.