Why client money is the exposure brokers keep underwriting against themselves
Ask most Indian broking principals where their biggest regulatory risk sits and they will point at commission disclosure or KYC. The honest answer is the premium that flows through their books. A broker handles other people's money at scale, often several multiples of its own net worth in a single quarter, and the controls around that float are usually the weakest part of the operation.
Three separate 2026 regimes have just converged on exactly this point. The IRDAI Insurance Fraud Monitoring Framework Guidelines, notified on 9 October 2025 and in force from 1 April 2026, name intermediary fraud and internal fraud as distinct categories that non-individual intermediaries must build a framework around. The IRDAI Information and Cyber Security Guidelines, updated and applying from April 2026, extend information-security and Digital Personal Data Protection Act duties to brokers, and those duties sit on the same payment and reconciliation systems that move premium. Underneath both is the long-standing requirement under the IRDAI (Insurance Brokers) Regulations that insurance money be held in a designated Insurance Bank Account.
The practitioner point is simple. Premium leakage and misappropriation are not abstract risks. They are how a broker loses its registration and, separately, how it loses its professional indemnity defence, because an internal-fraud or commingling event often falls into the conduct exclusions of the PI wording. You can run a clean placement book and still be one weak bank reconciliation away from a regulatory finding. The money rails deserve the same rigour the firm applies to its largest property placement.
What the Insurance Bank Account rule actually requires, line by line
The Insurance Bank Account is not a label you stick on a current account. The regulations are specific, and the specifics are where brokers slip.
- Insurance money (premium collected from or on behalf of a client, and money due to a client) must be paid into an Insurance Bank Account held with a scheduled bank.
- The broker must give the bank written notice, and obtain written confirmation, that the bank will not combine that account with any other account, and will not exercise any right of set-off, charge or lien against the money in it.
- The money stays in that account until it is paid on to the insurer or reinsurer, or refunded to the client. It is held, in substance, in trust.
- Separately, every broker keeps a fixed deposit equivalent to twenty percent of the minimum capital with a scheduled bank, not released without the Authority's permission. That deposit is a solvency cushion, not the client-money account, and the two should never be confused in the firm's own ledgers.
What the rule does not allow is using premium float as cheap working capital, parking it in a sweep that earns the firm interest by quietly leaving the protected account, or letting the bank net it against an overdraft on the operating account. Each of those is a finding waiting to happen, and each turns an ordinary cash-flow habit into a conduct issue.
The premium-flow map: tracing money from client to insurer
Before you can control premium, you have to draw the actual path it takes through your firm. Most brokers have never mapped it end to end, which is why breaks go unnoticed for weeks.
A typical commercial premium for a fire or liability risk moves through four or five hands. The client pays into the Insurance Bank Account. The broker deducts nothing at this stage, because commission is settled separately by the insurer, not skimmed from premium. The gross premium is remitted to the insurer within the credit period. The insurer issues the policy and later releases brokerage. Refunds, short-period adjustments and mid-term endorsements each create their own small money movements that must be tracked back to the original receipt.
Where the breaks happen
- Receipt without allocation. Money lands in the bank but is not matched to a specific policy or debit note for days. Unallocated receipts are the classic cover for both error and fraud.
- Net remittance habits. A broker remits premium net of expected brokerage instead of gross, blurring the trust money with its own revenue. This is one of the fastest routes to a commingling finding.
- Refund float. Client refunds sit in the account long after they are due, sometimes deliberately, because the float looks like liquidity.
- Co-broking and sub-limits. When two brokers share a placement, or a co-insurance panel splits the risk, the premium split must reconcile to each carrier's share, and the hand-off between brokers is a frequent leakage point.
Draw this map once, name the owner of each step, and you have the spine of every control that follows. Without it, your reconciliation is checking a process you have never actually defined.
Reconciliation discipline: the daily, weekly, and monthly cadence
Reconciliation is where intent becomes evidence. A board policy that says client money is protected is worth nothing if the firm cannot prove, on any given day, that the Insurance Bank Account balance equals the sum of money it owes to insurers and clients. Build the cadence in three layers.
Daily. Match every receipt in the Insurance Bank Account to a debit note or policy reference. Clear the unallocated-receipts queue to zero, or document why an item cannot yet be allocated. This single habit catches most errors within twenty-four hours, before they compound.
Weekly. Run a three-way tie-out between the bank statement, the broking system ledger, and the insurer statements of account. Investigate ageing items over a defined threshold. Confirm that no remittance went out net of brokerage and that no refund has aged past its due date.
Monthly. Produce a client-money calculation: total insurance money the firm should be holding versus the actual protected balance. A surplus is acceptable and even prudent. A deficit, money the firm owes the trust position but does not hold, is a breach, and it must be funded from the firm's own resources immediately and escalated. Sign this off at a level senior enough that it cannot be quietly buried.
Automate the three-way match where you can. Broker back-office platforms can flag unmatched receipts and ageing remittances daily, which converts reconciliation from a month-end scramble into a live control the fraud framework expects to see.
The regulator and your PI insurer both read the same signal here: a firm that reconciles daily and funds deficits same-day is a firm where misappropriation has nowhere to hide.
How the April 2026 fraud framework changes the control standard
The Fraud Monitoring Framework does not invent new prohibitions. It raises the standard of proof the firm must hold that prohibitions are being enforced. For a broker, the relevant categories are intermediary fraud (the firm or its people defrauding insurers or clients) and internal fraud (employees defrauding the firm), and premium handling is where both most often surface.
Non-individual intermediaries are now expected to operate a fraud risk management framework sized to their business. In premium terms that means concrete, testable controls rather than a policy document.
- Segregation of duties. The person who receives premium should not be the person who reconciles the account or authorises remittances. In small firms where one person does everything, compensating controls and independent review become non-negotiable.
- Maker-checker on outbound payments. No single individual should be able to move money out of the Insurance Bank Account alone. Dual authorisation above a threshold is the baseline.
- Early-warning indicators. Ageing unallocated receipts, repeated refund delays, round-sum journal entries, and remittances that consistently lag the credit period are red flags the framework expects you to monitor, not discover at audit.
- Escalation and reporting. A defined route to the firm's nodal officer, and onward reporting where thresholds are crossed, so an internal event does not become a concealed one.
Concealment is the part that turns a recoverable loss into a licence-threatening one. The framework rewards firms that detect and report early and punishes those that sit on a known deficit. Brokers should also align this with their client-onboarding and AML workflow, because the same monitoring infrastructure serves both.
Cyber and DPDP duties ride the same payment rails
It is tempting to treat the April 2026 Information and Cyber Security Guidelines as an IT problem owned by a separate function. For premium handling, that separation is a mistake, because the same systems that move money also hold the payment and personal data the new guidelines protect.
The Insurance Bank Account is operated through net-banking and payment interfaces. The broking system that reconciles it holds client bank details, policy data, and personal information now squarely within Digital Personal Data Protection Act duties. A compromise of those rails is simultaneously a fraud event, a data-protection event, and a client-money event. The guidelines require incident reporting to CERT-In within six hours of detection, with copies to IRDAI, which means a payment-fraud incident triggers a clock the operations team must be drilled on, not just the security team.
The practical controls overlap heavily with the fraud-framework controls, which is the point.
- Access to initiate or authorise premium payments should sit behind strong authentication and least-privilege roles, reviewed regularly.
- Vendor and platform access to systems that touch the Insurance Bank Account is a third-party risk that needs the same scrutiny as any other data processor.
- Logs of who moved money, when, and on whose authorisation are both a fraud control and a forensic record if an incident reaches CERT-In.
The broker CISO's workplan and the head of operations should be reading each other's control registers. Treating premium integrity and data integrity as one programme is cheaper and more defensible than running two that each assume the other has it covered.
When premium handling becomes a PI and fidelity claim
Here is the part that should focus the principal's attention. A premium-handling failure rarely stays a single problem. It mutates into a coverage problem, and the coverage often is not there when it is needed.
The broker's professional indemnity policy, compulsory under IRDAI rules and the firm's own most important protection, responds to negligent acts, errors and omissions in the conduct of broking. It typically does not respond to dishonest or fraudulent acts of the insured firm, and intentional commingling or misappropriation by the principal sits in that exclusion. So the very event the fraud framework targets is often the event the PI cover declines. Brokers should read their PI wording specifically for how it treats employee dishonesty, client-money breaches, and the dishonesty of partners or directors.
The complementary cover is fidelity guarantee. Where an employee, not the firm, steals premium, a fidelity or commercial crime policy is the instrument that responds, subject to its own conditions on internal controls and reconciliation. Insurers writing fidelity expect to see exactly the reconciliation discipline described above, and a poorly controlled firm will struggle to claim because the loss could not be isolated to a dishonest employee.
For brokers advising corporate clients, the same logic sells. A client with weak cash controls faces the identical PI-versus-fidelity gap, and the broker who has lived it advises it credibly. Read alongside fidelity claims practice, this is a coverage conversation the disciplined broker can lead.
A 90-day plan to put premium discipline beyond audit reproach
None of this requires a transformation programme. It requires a sequenced, documented effort that a principal can finish in a quarter and defend at the next inspection.
First 30 days: prove the position
- Confirm the Insurance Bank Account is correctly designated and obtain or refresh the bank's written no-set-off, no-lien confirmation.
- Map the premium flow end to end and name an owner for every step.
- Run a one-off client-money calculation: what should the firm hold in trust versus what it actually holds. Fund any deficit immediately.
Days 30 to 60: build the cadence
- Stand up daily receipt allocation and the weekly three-way reconciliation, with a defined ageing threshold for escalation.
- Implement maker-checker on all outbound payments and segregate receipt, reconciliation and authorisation duties, with compensating controls in thin-staffed teams.
- Write the premium-handling section of the fraud risk policy with the early-warning indicators that matter for client money.
Days 60 to 90: harden and connect
- Tie the payment rails into the cyber and DPDP control register, including access reviews, audit logs and the six-hour CERT-In incident drill.
- Review the PI and fidelity wordings against the client-money exposures and close gaps at the next renewal.
- Brief the board, log the sign-off, and schedule the monthly client-money attestation as a standing item.
Do this, and premium handling stops being the quiet exposure the firm underwrites against itself. It becomes the control story the broker tells the regulator, the PI insurer, and the next large client, all of whom are now asking the same question.

