KYC and AML Requirements in Indian Insurance: Underwriter's Guide

Insurance companies in India are 'reporting entities' under the Prevention of Money Laundering Act 2002 (PMLA). This subjects them to the same KYC, customer due diligence (CDD), and suspicious transaction reporting (STR) obligations as banks. IRDAI's Master Circular on Anti-Money Laundering (AML) and Know Your Customer (KYC) guidelines prescribe detailed compliance requirements.

The Financial Intelligence Unit-India (FIU-IND) oversees transaction reporting, while IRDAI enforces sector-specific AML/KYC norms. Insurers must file cash transaction reports (CTRs) for transactions exceeding INR 10 lakh and suspicious transaction reports regardless of amount. Non-compliance can result in penalties under Section 13 of PMLA, including fines up to INR 5 lakh per default.

For commercial insurance policies, KYC requirements are more extensive than retail covers. Insurers must verify the identity and address of the proposer, beneficial owners holding 25% or more stake, and authorised signatories. Documents required include certificate of incorporation, PAN, GST registration, board resolution authorising the insurance purchase, and identity proof of key management personnel.

For partnerships and proprietorships, the partnership deed or registration certificate, plus individual KYC of all partners, is mandatory. Enhanced due diligence (EDD) applies to politically exposed persons (PEPs), high-value policies exceeding INR 50 lakh premium, and entities in high-risk jurisdictions. Underwriters must flag such cases for compliance team review before policy issuance.

IRDAI mandates a risk-based approach to customer due diligence. Insurers must categorise clients into low, medium, and high-risk categories based on factors such as nature of business, premium size, geographical location, and transaction patterns. High-risk clients require enhanced due diligence including source of funds verification.

For commercial underwriters, the risk categorisation intersects with underwriting risk assessment. A manufacturing unit in a sensitive border area handling large premiums may trigger both underwriting concerns and AML red flags. Integrating AML risk scoring into the underwriting workflow ensures dual compliance without duplicating effort. Regular re-verification is required — annual for high-risk clients and every three years for others.

Insurers must report suspicious transactions to FIU-IND within seven working days of detection. Suspicious indicators in commercial insurance include unusually high premiums relative to business size, frequent policy cancellations with refund requests, proposals from shell companies, premium payments from unrelated third parties, and requests for assignment of policies without clear business rationale.

Underwriters are the first line of defence in detecting suspicious activity. If a proposal raises red flags — such as a newly incorporated company seeking INR 50 crore property cover with immediate inception — the underwriter must escalate to the compliance officer. The 'tipping off' prohibition under PMLA prevents disclosing to the client that an STR has been filed.

IRDAI now permits e-KYC through Aadhaar-based authentication, Video-KYC, and Central KYC (CKYC) registry integration. For commercial policies, digital verification accelerates onboarding — particularly for SME clients where manual document collection can delay policy issuance.

Insurers must integrate with the CKYC registry (managed by CERSAI) to upload and retrieve KYC records, reducing duplication. The CKYC number, once assigned, serves as a universal identifier across financial services. Underwriting teams should leverage CKYC data to pre-populate proposal forms and verify existing customer records, improving both compliance and operational efficiency.

An effective AML programme requires board-level commitment, a designated Principal Officer reporting to FIU-IND, and a compliance function independent of business operations. Regular training for underwriters, agents, and brokers on recognising suspicious activity is mandatory under IRDAI guidelines.

Insurers should conduct annual AML risk assessments, maintain transaction monitoring systems, and perform periodic internal audits of KYC compliance. Record retention requirements under PMLA mandate keeping all customer identification records for five years after the business relationship ends and transaction records for five years after the transaction. Technology investments in automated screening against sanctions lists and PEP databases are now essential for commercial lines.