Why Onboarding Is a Compliance Function, Not a Sales Formality
For most Indian commercial insurance brokers, client onboarding has historically been treated as a sales handover: the producer wins the account, a proposal form is collected, and the back office files whatever documents the insurer happens to ask for at proposal stage. That treatment is no longer defensible. The broker is a reporting entity in its own right under the Prevention of Money Laundering Act, 2002 (PMLA), and the onboarding moment is where the broker either discharges or fails its anti-money-laundering and know-your-customer obligations.
The obligation flows from two layers of regulation. The first is the PMLA and the Prevention of Money-laundering (Maintenance of Records) Rules, 2005 (the PML Rules), which designate insurance intermediaries among the reporting entities required to verify client identity, identify beneficial owners, maintain records and report prescribed transactions to the Financial Intelligence Unit, India (FIU-IND). The second is the IRDAI's anti-money-laundering and counter-financing-of-terrorism framework for the insurance sector, issued as a master guideline that the IRDAI has revised across editions, most recently consolidating AML/CFT expectations for insurers and intermediaries. The broker sits squarely inside both layers.
The practical consequence is that the broker cannot treat KYC as the insurer's problem. While the insurer issuing the policy also performs customer due diligence, the IRDAI framework and the PML Rules place independent obligations on the intermediary that solicits and procures the business and handles premium. A broker that collects premium under Regulation 30 of the IRDAI (Insurance Brokers) Regulations, 2018 and remits it to the insurer is squarely in the money-flow path that AML controls are designed to monitor. Premium routed through a broker's segregated bank account without proper client identification is precisely the kind of flow the FIU-IND exists to detect.
The onboarding workflow also feeds everything downstream. The client risk categorisation determined at onboarding drives the depth of ongoing monitoring, the periodicity of KYC refresh, and the sensitivity of transaction monitoring thresholds. The beneficial-ownership record established at onboarding is the reference point against which subsequent changes (a new controlling shareholder, a restructured holding entity, a change in directors) must be checked. The sanctions screening done at onboarding is the baseline that periodic rescreening compares against. Get onboarding wrong and every downstream control inherits the defect.
There is a commercial dimension as well. Corporate clients increasingly expect a clean, fast, digital onboarding experience, not a repeated request for the same documents across renewal cycles. A broker that captures structured KYC once, stores it against the Central KYC Records Registry (CKYCR) identifier, and reuses it across the client's policies removes friction for the client while strengthening its own compliance position. Onboarding done well is both a control and a service differentiator.
This post sets out the onboarding workflow a commercial broker should operate in 2026: the legal obligations, the document set and verification steps for corporate clients, the beneficial-ownership identification logic, the risk-categorisation model that drives due-diligence depth, the sanctions and politically-exposed-person screening, the digital workflow design, and the record-keeping and audit-trail discipline that an IRDAI inspection or an FIU-IND query will test.
The Legal Spine: PMLA, PML Rules, IRDAI AML Guidelines and CKYC
Before designing the workflow, the broker's compliance team should be precise about which obligations apply and where they originate. The onboarding process is the operational expression of four interacting instruments.
PMLA and the PML Rules
The PMLA, 2002 establishes the offence of money laundering and the obligations of reporting entities. The PML (Maintenance of Records) Rules, 2005 operationalise those obligations: client due diligence (verifying identity using officially valid documents), identification of beneficial owners, record maintenance, and reporting of prescribed transactions. Reporting entities must maintain records of transactions and of client identity documents for the period the rules prescribe, which is five years from the date of cessation of the business relationship or from the date of the transaction, whichever applies, and must furnish these to FIU-IND on request. The reporting obligations include Suspicious Transaction Reports (STRs), which are not threshold-based: a single suspicious transaction, regardless of amount, triggers the reporting duty.
IRDAI AML/CFT master guidelines
The IRDAI's AML/CFT guidelines for the insurance sector translate the PMLA framework into insurance-specific obligations. They require regulated entities, including brokers, to put in place a board-approved AML policy, appoint a Principal Officer and a Designated Director, perform customer due diligence proportionate to risk, screen against sanctions lists, monitor transactions, and file the prescribed reports. The guidelines articulate the risk-based approach: due-diligence intensity scales with the assessed money-laundering risk of the client and the product. For commercial non-life lines the money-laundering risk is generally lower than for high-cash-value life products, but the broker must still document its risk assessment rather than assume low risk.
CKYC and the Central KYC Records Registry
The CKYCR, operated by CERSAI under the rules notified by the Government, is a central repository of KYC records. A reporting entity that performs KYC uploads the record and receives a 14-digit CKYC Identifier (KIN). Other reporting entities can retrieve the verified record using the KIN rather than re-collecting documents, subject to consent. For commercial brokers this matters in two ways: the broker should check whether a client already has a CKYC record before requesting fresh documents, and the broker should upload records it creates so the ecosystem stays current. CKYC reduces duplication and creates a verifiable, centralised trail.
Officially valid documents and the legal-entity client
The PML Rules define officially valid documents (OVDs) for individuals (passport, driving licence, Aadhaar/proof of possession of Aadhaar, Voter ID, and others as notified). For legal entities the document set is different and more involved: certificate of incorporation, memorandum and articles of association, the PAN of the entity, a board resolution authorising the persons who will operate the relationship, and the identity documents of those authorised signatories and of the beneficial owners. The GST registration certificate is commonly collected as a supporting document for commercial clients and helps corroborate the business profile.
Why this matters at onboarding
Each of these instruments converges at the onboarding moment. Identity verification, beneficial-ownership identification, sanctions screening and risk categorisation are all onboarding-stage controls. Record maintenance and transaction monitoring are downstream, but they depend on the onboarding record being complete and accurate. A broker that maps its workflow explicitly to these four instruments can demonstrate, document by document and step by step, how each obligation is discharged, which is exactly what an inspector or an FIU-IND analyst will ask it to do.
The Corporate Client Document Set and Verification Steps
Commercial broking onboards legal entities, not individuals, which makes the document set and verification logic more demanding than retail KYC. The objective is to establish, with verifiable evidence, who the client legally is, who controls it, and who is authorised to act for it.
Core entity documents
For a private or public limited company the core set comprises the certificate of incorporation, the PAN of the company, the memorandum and articles of association, a recent board resolution or power of attorney authorising the persons who will deal with the broker and insurer, and proof of the registered and principal place of business. For an LLP the set includes the LLP agreement and the certificate of registration; for a partnership firm, the partnership deed and registration certificate; for a trust or society, the trust deed or registration and the list of trustees or office-bearers. The broker should map the document set to the constitution of the specific client rather than apply a single template, because the beneficial-ownership logic differs across these structures.
Authorised signatory verification
The persons authorised to operate the relationship must be identified using OVDs and their authority verified against the board resolution or equivalent. This is not a formality. The authorised signatory is the person whose instructions the broker will act on for placement, endorsement and claims, and whose identity the broker certifies. The verification should capture the name, the OVD reference, the photograph or e-KYC reference, and the document evidencing authority, with each linked in the onboarding record.
Corroborating the business profile
Beyond bare identity, the broker should establish the nature of the client's business, its expected insurance programme, and the rationale for the relationship. For a manufacturing client this means understanding the plants, the assets to be insured, the turnover band, and the lines likely to be placed. The GST registration, the latest financial statements where available, and the website or trade references corroborate the profile. The purpose is to give the relationship an expected shape so that, later, a transaction inconsistent with that shape (a sudden large premium for a line unrelated to the client's business, an instruction to remit a refund to an unrelated third party) stands out as an anomaly worth examining.
Verification method, not just collection
Collecting a document is not verifying it. The workflow should verify the entity's existence and good standing against authoritative sources where available: the Ministry of Corporate Affairs registry for company status and director details, the GST portal for registration validity, and PAN verification facilities for the entity PAN. For directors and beneficial owners, the Director Identification Number (DIN) and the MCA filings establish the corporate control chain. Verification against authoritative registries is what distinguishes genuine due diligence from a document-collection exercise.
CKYC check first
Before requesting a full document set, the workflow should check the CKYCR for an existing record using the entity's identifier. Where a valid record exists, the broker can retrieve it with consent and avoid re-collection, while still performing its own risk assessment and screening. Where no record exists, the broker creates one and uploads it. This sequencing reduces client friction and keeps the central registry current.
Handling incomplete onboarding
The workflow must define what happens when documents are incomplete. The principle is that the relationship should not proceed to binding without the minimum due-diligence set, and premium should not be accepted into the segregated account against an unidentified client. A controlled exception process, with named approval and a documented remediation deadline, is acceptable for narrow gaps; an open-ended practice of binding first and collecting documents later is not, and is a recurring inspection finding. The onboarding record should show, for every client, that the due-diligence set was complete before the relationship became operational, or that a documented and time-bound exception was approved by an authorised person.
Beneficial Ownership: Identifying Who Actually Controls the Client
Beneficial-ownership identification is the part of onboarding most often done poorly and most consequential when done wrong. The objective is to look through the legal entity to the natural persons who ultimately own or control it, because money-laundering structures rely precisely on opacity of control.
The control threshold
Under the PML Rules, the beneficial owner of a company is the natural person who, whether acting alone or together, or through one or more juridical persons, has a controlling ownership interest or exercises control through other means. The PML Rules set a controlling-ownership-interest threshold for companies (ownership of or entitlement to a defined percentage of shares or capital or profits of the company) and provide that where no natural person is identified through ownership, control through other means, and ultimately the senior managing official, is identified. For partnerships and unincorporated bodies the threshold is expressed against capital or profits, and for trusts the settlor, trustees, beneficiaries and any controlling person are identified. The broker must apply the threshold that matches the client's legal form rather than a single number.
Tracing the control chain
Where the immediate shareholder of the client is itself a company, the analysis does not stop at that company; it continues up the chain until natural persons are reached. A client owned by a holding company, owned in turn by a promoter family through an investment vehicle, requires the broker to trace through each layer using MCA filings and shareholding records until it reaches the individuals who control the structure. Tracing through one layer and recording the intermediate company as the beneficial owner is a common and serious error. The beneficial owner is always a natural person.
Listed entities and exemptions
The framework recognises that a company listed on a stock exchange, and subject to disclosure requirements, presents lower opacity risk, and the detailed beneficial-ownership tracing can be applied proportionately. The broker should still record the basis on which it relied on the listing exemption, identify the controlling shareholders disclosed in regulatory filings where relevant, and screen the entity and its key persons. The exemption simplifies tracing; it does not remove the obligation to assess and document.
Documenting and re-verifying
The beneficial-ownership record should capture each identified natural person, the basis of identification (ownership percentage, control through other means, or senior managing official), the supporting evidence, and the date of determination. Because ownership and control change, the broker should re-verify beneficial ownership at KYC refresh and on trigger events: a change of directors, a corporate restructuring, a merger, or any instruction that suggests a change in the controlling parties. The beneficial-ownership record is a living record, not a one-time form.
Why brokers get this wrong
The common failure modes are predictable. Recording an intermediate company rather than the ultimate natural person. Accepting the authorised signatory as the beneficial owner because that person is the one in the room. Failing to identify the senior managing official where no controlling owner is found. Not re-verifying after a restructuring. Each of these leaves a gap that a determined launderer can exploit and that an inspector will find. The discipline of always reaching a named natural person, with documented basis and supporting evidence, is what separates real beneficial-ownership identification from a box-ticking exercise.
Risk Categorisation and Sanctions Screening at Onboarding
The risk-based approach is the organising principle of the IRDAI AML framework: due-diligence depth and ongoing-monitoring intensity scale with assessed risk. The broker must categorise each client at onboarding and screen every client and its connected persons against sanctions and politically-exposed-person criteria.
The risk-categorisation model
A workable model scores each client across a small set of factors and assigns a low, medium or high risk rating. The factors typically include: client type and structure (a listed manufacturer is lower risk than an opaque multi-layered holding structure), industry (some sectors carry higher inherent risk), geography (exposure to higher-risk jurisdictions), the beneficial-ownership profile (transparency and the presence of politically exposed persons), the product and premium profile, and the delivery channel. The score determines the customer-due-diligence depth: standard due diligence for low and medium risk, enhanced due diligence for high risk. Enhanced due diligence means more documentation, senior sign-off, closer transaction monitoring and more frequent KYC refresh.
The categorisation must be documented with its rationale. A client rated low risk should have a record showing why; a client rated high risk should have a record of the enhanced measures applied. An undocumented categorisation, or a default of every client to low risk, is the single most common AML weakness an inspection surfaces, because it shows the risk-based approach was asserted but not operated.
Sanctions screening
Every client, its beneficial owners, its directors and its authorised signatories should be screened against the applicable sanctions and designated-persons lists at onboarding. In India the binding domestic list is the list of individuals and entities designated under the Unlawful Activities (Prevention) Act, 1967 (UAPA), maintained and circulated by the authorities, together with the United Nations Security Council consolidated list that India implements. Many brokers also screen against widely used international lists (for example OFAC and EU lists) where the client has cross-border exposure, because insurers and reinsurers in the chain may require it. The screening should be name-and-alias based, should account for transliteration variants common with Indian names, and should record the search performed, the lists covered, the date, and the result.
Politically exposed persons
The framework requires identification of politically exposed persons (PEPs) and the application of enhanced due diligence to relationships involving them, including senior management approval to establish or continue the relationship and closer ongoing monitoring. The broker should screen beneficial owners and key persons for PEP status and apply the enhanced measures where a match is confirmed. PEP status is not a reason to decline a relationship, but it is a reason to apply additional scrutiny and to document the senior approval.
Handling matches
The workflow must define what happens when a screen returns a hit. A potential sanctions match must be escalated and resolved before the relationship proceeds; a true match against a UAPA or UNSC designation means the relationship cannot proceed and may itself be reportable. A PEP match triggers enhanced due diligence and senior approval. A false positive must be cleared with a documented basis (the matched name is a different person, established by date of birth, identity document or other distinguishing evidence). The discipline is that no hit is ever silently dismissed; every hit is dispositioned with a recorded rationale and, where required, an escalation.
Digital Onboarding Workflow and the Audit Trail
The controls described above are only as good as the workflow that operates them. A 2026-standard broker runs onboarding as a structured digital process with defined steps, role-based handoffs, system-enforced completeness checks, and a complete audit trail, rather than as an email-and-spreadsheet exercise that depends on individual diligence.
The workflow stages
A practical digital onboarding workflow runs through defined stages. Initiation captures the prospective client and the producer who introduced it, and triggers the CKYC check. Data and document capture collects the entity documents, signatory documents and beneficial-ownership evidence through a structured intake, with the client able to upload directly through a portal where appropriate. Verification runs the entity verification against MCA, GST and PAN sources, and records the results. Beneficial-ownership analysis traces the control chain and records the identified natural persons. Screening runs the sanctions and PEP checks and captures the dispositions. Risk categorisation scores the client and sets the due-diligence depth. Approval routes the completed file to the appropriate authority, with high-risk and PEP cases escalated to senior sign-off. Activation releases the client for binding and premium handling only once the file is complete and approved. Each stage produces a timestamped, user-attributed record.
System-enforced completeness
The value of a digital workflow over a manual one is that completeness can be enforced by the system rather than relied upon from the person. The workflow should prevent activation while mandatory items are missing, flag KYC refresh due dates, and route exceptions to named approvers. A producer cannot bypass beneficial-ownership identification because the workflow will not advance without it. This is the operational mechanism that turns a policy on paper into a control in practice.
The audit trail
The audit trail is the evidence that the controls operated. For each client the broker should be able to produce, on request, the documents collected, the verifications performed and their results, the beneficial owners identified with basis and evidence, the screening searches with lists and dispositions, the risk categorisation with rationale, and the approvals with the approver and timestamp. The trail must be tamper-evident: who did what, when, and on what basis, recorded in a way that cannot be quietly altered after the fact. Record retention follows the PML Rules period (five years from cessation of the relationship or from the transaction, as applicable), and the records must be retrievable in the format an inspector or FIU-IND requests.
Refresh, monitoring and reporting
Onboarding feeds the ongoing obligations. KYC refresh runs on a periodicity set by risk category (more frequent for high risk). Transaction monitoring compares premium and refund flows against the expected client profile established at onboarding and flags anomalies. Suspicious activity, once identified, is escalated to the Principal Officer for STR assessment and filing with FIU-IND. The onboarding record is the reference point for all of this: the cleaner and more structured it is, the more reliable the downstream monitoring becomes.
Where this leaves the broker
Client onboarding done to this standard is simultaneously a regulatory shield and an operational asset. It satisfies the PMLA, the PML Rules and the IRDAI AML guidelines; it produces an inspection-ready audit trail; and it captures structured client data once for reuse across the client's policies and renewals. Brokers running onboarding as a sales formality carry latent compliance exposure that an inspection or an FIU-IND query can convert into a finding; brokers running it as a structured, screened, documented workflow carry evidence that the obligations were met.
The onboarding record also becomes the spine of every subsequent placement decision, because every line the broker places for the client must be matched against the right wording, the right triggers and the right exclusions. Sarvada gives commercial insurance brokers structured, searchable access to insurer policy wordings, so that once a client is cleanly onboarded the broker can compare triggers, grants, sub-limits and exclusions across insurers and place each line on terms it can defend to the client and document for the file. Request Access to evaluate how structured wording access supports the placement work that follows onboarding.

