Operations & Best Practices

Broker Client Onboarding in India 2026: KYC, AML/PMLA, Beneficial Ownership and Sanctions Screening Workflow

Indian commercial insurance brokers carry direct obligations under PMLA, the IRDAI AML master guidelines and CKYC norms when onboarding corporate clients. This post sets out a structured onboarding workflow covering KYC/CKYC, beneficial ownership, risk categorisation, sanctions screening and audit trail.

Tarun Kumar Singh
Tarun Kumar SinghStrategic Risk & Compliance SpecialistAIII · CRICP · CIAFP
16 min read

Listen to this article

Audio version • 16 min read

client-onboardingkyc-ckycaml-pmlabeneficial-ownershipsanctions-screeningbroker-compliancerisk-categorisationdigital-onboardingaudit-trail

Last reviewed: June 2026

Why Onboarding Is a Compliance Function, Not a Sales Formality

For most Indian commercial insurance brokers, client onboarding has historically been treated as a sales handover: the producer wins the account, a proposal form is collected, and the back office files whatever documents the insurer happens to ask for at proposal stage. That treatment is no longer defensible. The broker is a reporting entity in its own right under the Prevention of Money Laundering Act, 2002 (PMLA), and the onboarding moment is where the broker either discharges or fails its anti-money-laundering and know-your-customer obligations.

The obligation flows from two layers of regulation. The first is the PMLA and the Prevention of Money-laundering (Maintenance of Records) Rules, 2005 (the PML Rules), which designate insurance intermediaries among the reporting entities required to verify client identity, identify beneficial owners, maintain records and report prescribed transactions to the Financial Intelligence Unit, India (FIU-IND). The second is the IRDAI's anti-money-laundering and counter-financing-of-terrorism framework for the insurance sector, issued as a master guideline that the IRDAI has revised across editions, most recently consolidating AML/CFT expectations for insurers and intermediaries. The broker sits squarely inside both layers.

The practical consequence is that the broker cannot treat KYC as the insurer's problem. While the insurer issuing the policy also performs customer due diligence, the IRDAI framework and the PML Rules place independent obligations on the intermediary that solicits and procures the business and handles premium. A broker that collects premium under Regulation 30 of the IRDAI (Insurance Brokers) Regulations, 2018 and remits it to the insurer is squarely in the money-flow path that AML controls are designed to monitor. Premium routed through a broker's segregated bank account without proper client identification is precisely the kind of flow the FIU-IND exists to detect.

The onboarding workflow also feeds everything downstream. The client risk categorisation determined at onboarding drives the depth of ongoing monitoring, the periodicity of KYC refresh, and the sensitivity of transaction monitoring thresholds. The beneficial-ownership record established at onboarding is the reference point against which subsequent changes (a new controlling shareholder, a restructured holding entity, a change in directors) must be checked. The sanctions screening done at onboarding is the baseline that periodic rescreening compares against. Get onboarding wrong and every downstream control inherits the defect.

There is a commercial dimension as well. Corporate clients increasingly expect a clean, fast, digital onboarding experience, not a repeated request for the same documents across renewal cycles. A broker that captures structured KYC once, stores it against the Central KYC Records Registry (CKYCR) identifier, and reuses it across the client's policies removes friction for the client while strengthening its own compliance position. Onboarding done well is both a control and a service differentiator.

This post sets out the onboarding workflow a commercial broker should operate in 2026: the legal obligations, the document set and verification steps for corporate clients, the beneficial-ownership identification logic, the risk-categorisation model that drives due-diligence depth, the sanctions and politically-exposed-person screening, the digital workflow design, and the record-keeping and audit-trail discipline that an IRDAI inspection or an FIU-IND query will test.

The Legal Spine: PMLA, PML Rules, IRDAI AML Guidelines and CKYC

Before designing the workflow, the broker's compliance team should be precise about which obligations apply and where they originate. The onboarding process is the operational expression of four interacting instruments.

PMLA and the PML Rules

The PMLA, 2002 establishes the offence of money laundering and the obligations of reporting entities. The PML (Maintenance of Records) Rules, 2005 operationalise those obligations: client due diligence (verifying identity using officially valid documents), identification of beneficial owners, record maintenance, and reporting of prescribed transactions. Reporting entities must maintain records of transactions and of client identity documents for the period the rules prescribe, which is five years from the date of cessation of the business relationship or from the date of the transaction, whichever applies, and must furnish these to FIU-IND on request. The reporting obligations include Suspicious Transaction Reports (STRs), which are not threshold-based: a single suspicious transaction, regardless of amount, triggers the reporting duty.

IRDAI AML/CFT master guidelines

The IRDAI's AML/CFT guidelines for the insurance sector translate the PMLA framework into insurance-specific obligations. They require regulated entities, including brokers, to put in place a board-approved AML policy, appoint a Principal Officer and a Designated Director, perform customer due diligence proportionate to risk, screen against sanctions lists, monitor transactions, and file the prescribed reports. The guidelines articulate the risk-based approach: due-diligence intensity scales with the assessed money-laundering risk of the client and the product. For commercial non-life lines the money-laundering risk is generally lower than for high-cash-value life products, but the broker must still document its risk assessment rather than assume low risk.

CKYC and the Central KYC Records Registry

The CKYCR, operated by CERSAI under the rules notified by the Government, is a central repository of KYC records. A reporting entity that performs KYC uploads the record and receives a 14-digit CKYC Identifier (KIN). Other reporting entities can retrieve the verified record using the KIN rather than re-collecting documents, subject to consent. For commercial brokers this matters in two ways: the broker should check whether a client already has a CKYC record before requesting fresh documents, and the broker should upload records it creates so the ecosystem stays current. CKYC reduces duplication and creates a verifiable, centralised trail.

Officially valid documents and the legal-entity client

The PML Rules define officially valid documents (OVDs) for individuals (passport, driving licence, Aadhaar/proof of possession of Aadhaar, Voter ID, and others as notified). For legal entities the document set is different and more involved: certificate of incorporation, memorandum and articles of association, the PAN of the entity, a board resolution authorising the persons who will operate the relationship, and the identity documents of those authorised signatories and of the beneficial owners. The GST registration certificate is commonly collected as a supporting document for commercial clients and helps corroborate the business profile.

Why this matters at onboarding

Each of these instruments converges at the onboarding moment. Identity verification, beneficial-ownership identification, sanctions screening and risk categorisation are all onboarding-stage controls. Record maintenance and transaction monitoring are downstream, but they depend on the onboarding record being complete and accurate. A broker that maps its workflow explicitly to these four instruments can demonstrate, document by document and step by step, how each obligation is discharged, which is exactly what an inspector or an FIU-IND analyst will ask it to do.

The Corporate Client Document Set and Verification Steps

Commercial broking onboards legal entities, not individuals, which makes the document set and verification logic more demanding than retail KYC. The objective is to establish, with verifiable evidence, who the client legally is, who controls it, and who is authorised to act for it.

Core entity documents

For a private or public limited company the core set comprises the certificate of incorporation, the PAN of the company, the memorandum and articles of association, a recent board resolution or power of attorney authorising the persons who will deal with the broker and insurer, and proof of the registered and principal place of business. For an LLP the set includes the LLP agreement and the certificate of registration; for a partnership firm, the partnership deed and registration certificate; for a trust or society, the trust deed or registration and the list of trustees or office-bearers. The broker should map the document set to the constitution of the specific client rather than apply a single template, because the beneficial-ownership logic differs across these structures.

Authorised signatory verification

The persons authorised to operate the relationship must be identified using OVDs and their authority verified against the board resolution or equivalent. This is not a formality. The authorised signatory is the person whose instructions the broker will act on for placement, endorsement and claims, and whose identity the broker certifies. The verification should capture the name, the OVD reference, the photograph or e-KYC reference, and the document evidencing authority, with each linked in the onboarding record.

Corroborating the business profile

Beyond bare identity, the broker should establish the nature of the client's business, its expected insurance programme, and the rationale for the relationship. For a manufacturing client this means understanding the plants, the assets to be insured, the turnover band, and the lines likely to be placed. The GST registration, the latest financial statements where available, and the website or trade references corroborate the profile. The purpose is to give the relationship an expected shape so that, later, a transaction inconsistent with that shape (a sudden large premium for a line unrelated to the client's business, an instruction to remit a refund to an unrelated third party) stands out as an anomaly worth examining.

Verification method, not just collection

Collecting a document is not verifying it. The workflow should verify the entity's existence and good standing against authoritative sources where available: the Ministry of Corporate Affairs registry for company status and director details, the GST portal for registration validity, and PAN verification facilities for the entity PAN. For directors and beneficial owners, the Director Identification Number (DIN) and the MCA filings establish the corporate control chain. Verification against authoritative registries is what distinguishes genuine due diligence from a document-collection exercise.

CKYC check first

Before requesting a full document set, the workflow should check the CKYCR for an existing record using the entity's identifier. Where a valid record exists, the broker can retrieve it with consent and avoid re-collection, while still performing its own risk assessment and screening. Where no record exists, the broker creates one and uploads it. This sequencing reduces client friction and keeps the central registry current.

Handling incomplete onboarding

The workflow must define what happens when documents are incomplete. The principle is that the relationship should not proceed to binding without the minimum due-diligence set, and premium should not be accepted into the segregated account against an unidentified client. A controlled exception process, with named approval and a documented remediation deadline, is acceptable for narrow gaps; an open-ended practice of binding first and collecting documents later is not, and is a recurring inspection finding. The onboarding record should show, for every client, that the due-diligence set was complete before the relationship became operational, or that a documented and time-bound exception was approved by an authorised person.

Beneficial Ownership: Identifying Who Actually Controls the Client

Beneficial-ownership identification is the part of onboarding most often done poorly and most consequential when done wrong. The objective is to look through the legal entity to the natural persons who ultimately own or control it, because money-laundering structures rely precisely on opacity of control.

The control threshold

Under the PML Rules, the beneficial owner of a company is the natural person who, whether acting alone or together, or through one or more juridical persons, has a controlling ownership interest or exercises control through other means. The PML Rules set a controlling-ownership-interest threshold for companies (ownership of or entitlement to a defined percentage of shares or capital or profits of the company) and provide that where no natural person is identified through ownership, control through other means, and ultimately the senior managing official, is identified. For partnerships and unincorporated bodies the threshold is expressed against capital or profits, and for trusts the settlor, trustees, beneficiaries and any controlling person are identified. The broker must apply the threshold that matches the client's legal form rather than a single number.

Tracing the control chain

Where the immediate shareholder of the client is itself a company, the analysis does not stop at that company; it continues up the chain until natural persons are reached. A client owned by a holding company, owned in turn by a promoter family through an investment vehicle, requires the broker to trace through each layer using MCA filings and shareholding records until it reaches the individuals who control the structure. Tracing through one layer and recording the intermediate company as the beneficial owner is a common and serious error. The beneficial owner is always a natural person.

Listed entities and exemptions

The framework recognises that a company listed on a stock exchange, and subject to disclosure requirements, presents lower opacity risk, and the detailed beneficial-ownership tracing can be applied proportionately. The broker should still record the basis on which it relied on the listing exemption, identify the controlling shareholders disclosed in regulatory filings where relevant, and screen the entity and its key persons. The exemption simplifies tracing; it does not remove the obligation to assess and document.

Documenting and re-verifying

The beneficial-ownership record should capture each identified natural person, the basis of identification (ownership percentage, control through other means, or senior managing official), the supporting evidence, and the date of determination. Because ownership and control change, the broker should re-verify beneficial ownership at KYC refresh and on trigger events: a change of directors, a corporate restructuring, a merger, or any instruction that suggests a change in the controlling parties. The beneficial-ownership record is a living record, not a one-time form.

Why brokers get this wrong

The common failure modes are predictable. Recording an intermediate company rather than the ultimate natural person. Accepting the authorised signatory as the beneficial owner because that person is the one in the room. Failing to identify the senior managing official where no controlling owner is found. Not re-verifying after a restructuring. Each of these leaves a gap that a determined launderer can exploit and that an inspector will find. The discipline of always reaching a named natural person, with documented basis and supporting evidence, is what separates real beneficial-ownership identification from a box-ticking exercise.

Risk Categorisation and Sanctions Screening at Onboarding

The risk-based approach is the organising principle of the IRDAI AML framework: due-diligence depth and ongoing-monitoring intensity scale with assessed risk. The broker must categorise each client at onboarding and screen every client and its connected persons against sanctions and politically-exposed-person criteria.

The risk-categorisation model

A workable model scores each client across a small set of factors and assigns a low, medium or high risk rating. The factors typically include: client type and structure (a listed manufacturer is lower risk than an opaque multi-layered holding structure), industry (some sectors carry higher inherent risk), geography (exposure to higher-risk jurisdictions), the beneficial-ownership profile (transparency and the presence of politically exposed persons), the product and premium profile, and the delivery channel. The score determines the customer-due-diligence depth: standard due diligence for low and medium risk, enhanced due diligence for high risk. Enhanced due diligence means more documentation, senior sign-off, closer transaction monitoring and more frequent KYC refresh.

The categorisation must be documented with its rationale. A client rated low risk should have a record showing why; a client rated high risk should have a record of the enhanced measures applied. An undocumented categorisation, or a default of every client to low risk, is the single most common AML weakness an inspection surfaces, because it shows the risk-based approach was asserted but not operated.

Sanctions screening

Every client, its beneficial owners, its directors and its authorised signatories should be screened against the applicable sanctions and designated-persons lists at onboarding. In India the binding domestic list is the list of individuals and entities designated under the Unlawful Activities (Prevention) Act, 1967 (UAPA), maintained and circulated by the authorities, together with the United Nations Security Council consolidated list that India implements. Many brokers also screen against widely used international lists (for example OFAC and EU lists) where the client has cross-border exposure, because insurers and reinsurers in the chain may require it. The screening should be name-and-alias based, should account for transliteration variants common with Indian names, and should record the search performed, the lists covered, the date, and the result.

Politically exposed persons

The framework requires identification of politically exposed persons (PEPs) and the application of enhanced due diligence to relationships involving them, including senior management approval to establish or continue the relationship and closer ongoing monitoring. The broker should screen beneficial owners and key persons for PEP status and apply the enhanced measures where a match is confirmed. PEP status is not a reason to decline a relationship, but it is a reason to apply additional scrutiny and to document the senior approval.

Handling matches

The workflow must define what happens when a screen returns a hit. A potential sanctions match must be escalated and resolved before the relationship proceeds; a true match against a UAPA or UNSC designation means the relationship cannot proceed and may itself be reportable. A PEP match triggers enhanced due diligence and senior approval. A false positive must be cleared with a documented basis (the matched name is a different person, established by date of birth, identity document or other distinguishing evidence). The discipline is that no hit is ever silently dismissed; every hit is dispositioned with a recorded rationale and, where required, an escalation.

Digital Onboarding Workflow and the Audit Trail

The controls described above are only as good as the workflow that operates them. A 2026-standard broker runs onboarding as a structured digital process with defined steps, role-based handoffs, system-enforced completeness checks, and a complete audit trail, rather than as an email-and-spreadsheet exercise that depends on individual diligence.

The workflow stages

A practical digital onboarding workflow runs through defined stages. Initiation captures the prospective client and the producer who introduced it, and triggers the CKYC check. Data and document capture collects the entity documents, signatory documents and beneficial-ownership evidence through a structured intake, with the client able to upload directly through a portal where appropriate. Verification runs the entity verification against MCA, GST and PAN sources, and records the results. Beneficial-ownership analysis traces the control chain and records the identified natural persons. Screening runs the sanctions and PEP checks and captures the dispositions. Risk categorisation scores the client and sets the due-diligence depth. Approval routes the completed file to the appropriate authority, with high-risk and PEP cases escalated to senior sign-off. Activation releases the client for binding and premium handling only once the file is complete and approved. Each stage produces a timestamped, user-attributed record.

System-enforced completeness

The value of a digital workflow over a manual one is that completeness can be enforced by the system rather than relied upon from the person. The workflow should prevent activation while mandatory items are missing, flag KYC refresh due dates, and route exceptions to named approvers. A producer cannot bypass beneficial-ownership identification because the workflow will not advance without it. This is the operational mechanism that turns a policy on paper into a control in practice.

The audit trail

The audit trail is the evidence that the controls operated. For each client the broker should be able to produce, on request, the documents collected, the verifications performed and their results, the beneficial owners identified with basis and evidence, the screening searches with lists and dispositions, the risk categorisation with rationale, and the approvals with the approver and timestamp. The trail must be tamper-evident: who did what, when, and on what basis, recorded in a way that cannot be quietly altered after the fact. Record retention follows the PML Rules period (five years from cessation of the relationship or from the transaction, as applicable), and the records must be retrievable in the format an inspector or FIU-IND requests.

Refresh, monitoring and reporting

Onboarding feeds the ongoing obligations. KYC refresh runs on a periodicity set by risk category (more frequent for high risk). Transaction monitoring compares premium and refund flows against the expected client profile established at onboarding and flags anomalies. Suspicious activity, once identified, is escalated to the Principal Officer for STR assessment and filing with FIU-IND. The onboarding record is the reference point for all of this: the cleaner and more structured it is, the more reliable the downstream monitoring becomes.

Where this leaves the broker

Client onboarding done to this standard is simultaneously a regulatory shield and an operational asset. It satisfies the PMLA, the PML Rules and the IRDAI AML guidelines; it produces an inspection-ready audit trail; and it captures structured client data once for reuse across the client's policies and renewals. Brokers running onboarding as a sales formality carry latent compliance exposure that an inspection or an FIU-IND query can convert into a finding; brokers running it as a structured, screened, documented workflow carry evidence that the obligations were met.

The onboarding record also becomes the spine of every subsequent placement decision, because every line the broker places for the client must be matched against the right wording, the right triggers and the right exclusions. Sarvada gives commercial insurance brokers structured, searchable access to insurer policy wordings, so that once a client is cleanly onboarded the broker can compare triggers, grants, sub-limits and exclusions across insurers and place each line on terms it can defend to the client and document for the file. Request Access to evaluate how structured wording access supports the placement work that follows onboarding.

About the Author

Tarun Kumar Singh

Tarun Kumar Singh

Strategic Risk & Compliance Specialist

  • AIII
  • CRICP
  • CIAFP
  • Board Advisor, Finexure Consulting
  • Developer of the Behavioural Underinsurance Risk Index (BURI)

Tarun Kumar Singh is a seasoned risk management and insurance professional based in Bengaluru. He serves as Board Advisor at Finexure Consulting, where he advises insurance, fintech, and regulated firms on governance, growth, and trust. His work spans insurance broker regulatory frameworks across India, UAE, and ASEAN, IRDAI compliance and Corporate Agency model reform, VC governance in insurtech, and MSME insurance gap analysis. He is the developer of the Behavioural Underinsurance Risk Index (BURI), a framework applying behavioural economics to underinsurance and insurance fraud risk.

Frequently Asked Questions

Does the broker need to perform its own KYC if the insurer also does customer due diligence on the same client?
Yes. The insurer performing its own customer due diligence does not discharge the broker's obligation. The broker is a reporting entity in its own right under the PMLA and the PML Rules, and the IRDAI AML/CFT guidelines place independent due-diligence, screening, record-keeping and reporting duties on intermediaries. The broker also sits in the money-flow path because it collects and remits premium under Regulation 30 of the IRDAI broker regulations, which is precisely the flow AML controls monitor. The broker should perform its own identification, beneficial-ownership analysis, sanctions screening and risk categorisation, and maintain its own records. Where a valid CKYC record exists, the broker can retrieve it with consent to avoid re-collecting documents, but it must still run its own risk assessment and screening rather than rely wholly on another entity's work.
How far up the ownership chain must a broker trace to identify the beneficial owner of a corporate client?
All the way to a named natural person. Under the PML Rules the beneficial owner is the natural person who ultimately owns or controls the client, applying the controlling-ownership thresholds that match the client's legal form. Where the immediate shareholder is itself a company, the analysis continues up through each corporate layer, using MCA filings and shareholding records, until natural persons are reached. Recording an intermediate holding company as the beneficial owner is a serious and common error; the beneficial owner is always an individual. Where no natural person is found through the ownership threshold, the broker identifies control through other means, and failing that, the senior managing official. For a listed company subject to disclosure requirements the detailed tracing can be applied proportionately, but the broker should still record the basis for relying on the listing and screen the entity and its key persons.
Which sanctions lists must an Indian broker screen against at onboarding?
The binding domestic baseline is the list of individuals and entities designated under the Unlawful Activities (Prevention) Act, 1967 (UAPA), together with the United Nations Security Council consolidated list that India implements. Every client, its beneficial owners, its directors and its authorised signatories should be screened against these at onboarding, with name-and-alias matching that accounts for transliteration variants common with Indian names. Many brokers additionally screen against widely used international lists such as OFAC and EU lists where the client has cross-border exposure, because insurers and reinsurers in the placement chain may require it. The screening must be recorded with the lists covered, the date and the result, and it should be repeated periodically and on list updates, because a client clean at onboarding can later appear on a new designation. Every hit must be dispositioned with a documented rationale; no hit should be silently dismissed.
What records must the broker retain from onboarding, and for how long?
The broker should retain the full onboarding file: the identity and constitutional documents collected, the verification results from MCA, GST and PAN sources, the beneficial-ownership analysis with the identified natural persons and supporting evidence, the sanctions and PEP screening searches with their dispositions, the documented risk categorisation, and the approval record with approver and timestamp. Under the PML Rules the retention period is five years, running from the cessation of the business relationship or from the date of the transaction, as applicable, and the records must be retrievable and furnishable to FIU-IND or to the IRDAI on request. The audit trail should be tamper-evident, capturing who did what and when, so the broker can demonstrate not just that documents were collected but that the controls actually operated. Retention obligations under other laws (the Companies Act, the Income Tax Act) may run in parallel and should be reconciled in the broker's record-retention policy.
Can the broker bind cover and accept premium before onboarding KYC is complete?
As a rule, no. The minimum customer-due-diligence set should be complete before the relationship becomes operational, and premium should not be accepted into the broker's segregated account against an unidentified client, because that places an unverified party directly into the money-flow path the AML framework monitors. A controlled exception process can accommodate narrow, genuine gaps, but it must be named, approved by an authorised person, and tied to a documented remediation deadline. An open-ended practice of binding first and collecting documents later is a recurring inspection finding and exposes the broker on both the PMLA and the IRDAI fronts. The onboarding workflow should enforce this by preventing activation for binding and premium handling until the file is complete and approved, or a documented, time-bound exception has been authorised.

Related Glossary Terms

Related Insurance Types

Related Industries

Related Articles

Sarvada

Ready to see Sarvada in action?

Explore the platform workflow or start a product conversation with our underwriting automation team.

Explore the platform