Content authored by practitioners with experience at Amazon India, Intuit QuickBooks, and the Tata Group. Meet the team →
After the Ministry of Finance notification dated 3 May 2023, an Indian CA firm onboarding 80 new clients a year is a reporting entity under PMLA whenever it carries out any of five specified financial activities on a client's behalf — and must run customer due diligence, risk-classify every client, file STRs and CTRs with FIU-IND within 7 working days of suspicion, and retain records for 5 years after engagement closure, with tipping-off itself a criminal offence.
Operate a three-tier process: a PMLA trigger checklist at engagement intake to decide whether the firm becomes a reporting entity for that client; a risk-classification matrix (Low/Medium/High) that drives standard CDD or Enhanced Due Diligence with PEP screening and source-of-funds review; and a continuous-monitoring loop that surfaces STR/CTR triggers from the firm's reconciliation and ledger workflows. The Principal Officer files with FIU-IND via FINnet 2.0 and locks all records under a 5-year retention vault.
Engagement intake form mapping the five specified activities; PEP and sanctions screening at onboarding; Beneficial Owner threshold of 10% (25% for trusts); EDD memo template for High-risk and PEP-linked clients; STR/CTR red-flag rubric tied to reconciliation outputs; FIU-IND FINnet 2.0 Principal Officer credentials; 5-year retention vault keyed to engagement closure date.
Every client on the firm's book has a documented PMLA assessment on file, risk-classified with rationale, EDD memos where required, an audit trail of ongoing monitoring, STRs filed within 7 working days of suspicion, and full 5-year retention — no FIU-IND enforcement gaps, no Section 13 tipping-off exposure, and a defensible position if the firm itself is examined.
A practising Chartered Accountant in India who agrees to manage a client’s bank account, set up a private limited company for a client, or pool contributions to operate that company is — from 3 May 2023 onwards — a reporting entity under the Prevention of Money Laundering Act, 2002. The Ministry of Finance notification S.O. 2036(E) closed a long-standing gap by bringing CAs, CSs, and CMAs within the same compliance perimeter as banks, NBFCs, and stockbrokers when they perform any of five specified financial activities on a client’s behalf. This guide covers the full client due diligence and AML compliance process under PMLA for an Indian CA firm.
Quick Reference: PMLA Compliance for CA Firms
| Item | Requirement |
|---|---|
| Reporting entity status | Notification dated 3 May 2023 (S.O. 2036(E)) — applies when the firm carries out any of 5 specified activities for a client |
| Governing law | PMLA, 2002 and PML (Maintenance of Records) Rules, 2005 |
| Regulator | Financial Intelligence Unit — India (FIU-IND), Department of Revenue |
| Filing portal | FINnet 2.0 — Principal Officer credentials required |
| KYC for individuals | PAN, Aadhaar (masked), address proof, photograph |
| KYC for companies | CIN, MoA/AoA, board resolution, director list, Beneficial Owner declaration |
| Beneficial Owner threshold | 10% for companies and LLPs; 15% for partnerships; 25% for trusts |
| Risk classification | Low / Medium / High — drives standard CDD or Enhanced Due Diligence |
| Record retention | 5 years from cessation of business relationship or transaction date, whichever is later |
| STR filing deadline | 7 working days from formation of suspicion |
| CTR filing deadline | 15th of the month following the cash transaction month |
| CTR threshold | Aggregate cash transactions above 10 lakh in a month per client |
| Tipping-off offence | PMLA Section 13 — disclosing STR filing to the client is itself an offence |
| Principal Officer | Mandatory designation; communicates with FIU-IND on behalf of the firm |
When Does a CA Firm Become a Reporting Entity Under PMLA?
The 3 May 2023 notification was issued under Section 2(1)(sa)(vi) of PMLA, which empowers the Central Government to notify any person carrying on a designated business or profession as a reporting entity. The notification lists five specified activities, and the firm becomes a reporting entity for a given client only when one or more of those activities is in scope of the engagement.
The five specified activities are: buying and selling of any immovable property; managing of client money, securities, or other assets; management of bank, savings, or securities accounts; organisation of contributions for the creation, operation, or management of companies; and creation, operation, or management of companies, limited liability partnerships, or trusts, and buying and selling of business entities.
A firm that runs monthly TDS reconciliation, GSTR-2B matching, statutory audit, or tax return filing for a client is not, on those activities alone, a reporting entity. The trigger is acting on the client’s behalf in a financial transaction of the kind listed. The practical implication is that a firm with 200 clients may find that 40 of them — those for which the firm holds a Power of Attorney on a bank account, incorporates SPVs, or pools contributor capital — fall within the PMLA perimeter, while the remaining 160 do not. The firm must document this assessment at engagement intake for every client, every year.
What Is the Customer Due Diligence Process?
CDD has four pillars under Rule 9 of the PML (Maintenance of Records) Rules, 2005: client identification, beneficial owner identification, purpose-of-engagement understanding, and ongoing monitoring. For an individual client, identification rests on PAN plus Aadhaar (with the first 8 digits masked per UIDAI guidance), supported by a current address proof and a photograph. For a non-individual client — private limited company, LLP, partnership firm, trust, HUF — the firm collects the constitutive documents, the latest list of directors or partners, and a Beneficial Owner declaration.
Beneficial Owner identification is the harder leg. PMLA defines BO thresholds: any natural person holding 10% or more in a company or LLP, 15% or more in a partnership, or 25% or more in a trust, is a Beneficial Owner. Where ownership is held through a chain of entities, the firm must trace through to the natural person. Refusal by the client to provide BO information is itself a red flag and grounds for refusing the engagement.
The firm then risk-classifies each client as Low, Medium, or High. Low risk includes salaried individuals with simple affairs, listed company subsidiaries with public disclosures, and government-owned entities. Medium risk includes most private limited companies, partnerships, and HNI individuals. High risk includes Politically Exposed Persons (PEPs), clients from jurisdictions on the FATF grey list, non-face-to-face onboardings, cash-intensive businesses, and any client whose source of funds is opaque. High-risk clients trigger Enhanced Due Diligence: senior partner approval, source-of-funds documentation, and shorter monitoring cycles. The classification rationale must be on file — a one-line “Low” tag is not defensible.
What Triggers a Suspicious Transaction Report?
An STR is triggered when the firm has reasonable grounds to suspect that a transaction, attempted or completed, involves proceeds of crime, is unusually complex, has no apparent economic rationale, or appears structured to evade reporting thresholds. The suspicion test is subjective, but FIU-IND has published red-flag indicators. Common triggers a CA firm encounters in the course of routine work include: cash deposits structured in amounts just below 10 lakh to dodge CTR reporting; round-tripping where a client funds itself through a chain of shell entities; third-party funding from counterparties with no commercial relationship; PEP-linked transactions where source of funds is refused; and rapid in-out movement of large balances through accounts the firm manages.
The firm’s ongoing reconciliation workflow is, in fact, the most efficient generator of STR triggers. When reconciliation software India flags a vendor whose GSTIN repeatedly fails GSTR-2B matching despite being a regular counterparty, or when a bank narration pattern shifts abruptly from operational to capital movements, the article clerk should escalate to the Principal Officer for an STR assessment rather than close the variance as a routine exception. Linking the AML monitoring layer to the reconciliation layer means the firm is not running a separate compliance theatre — the same workflow surfaces both statutory variances and AML red flags.
Once the Principal Officer forms suspicion, the STR must be filed with FIU-IND within 7 working days. The filing is confidential. PMLA Section 13 makes tipping off the client — disclosing that an STR has been filed, or even that one is under consideration — a separate offence punishable with imprisonment up to 2 years.
How Do You File With FIU-IND?
Filings go through FINnet 2.0, the FIU-IND filing portal, using credentials issued to the firm’s Principal Officer. The Principal Officer is a designated partner or senior employee — typically a partner with at least 5 years of post-qualification experience — who is the single point of contact with FIU-IND. The firm registers the Principal Officer and a Designated Director with FIU-IND once, then files all subsequent STRs, CTRs, NTRs (Non-profit Organisation Transaction Reports), and CCRs (Counterfeit Currency Reports) through that account.
For CTR: aggregate all cash transactions above 10 lakh per client per month — including a single cash transaction of 10 lakh or above, or a series of integrally connected cash transactions cumulatively exceeding 10 lakh in a month — and file by the 15th of the following month in the prescribed format.
For STR: file within 7 working days of forming suspicion. The filing includes client identification, transaction details, the reason for suspicion, and supporting documents. There is no monetary threshold for STRs — a suspicious transaction is reportable irrespective of amount.
How Long Are Records Retained?
PMLA Section 12 and Rule 6 require that all records of client identification, beneficial owners, and transactions be retained for 5 years from the date of cessation of the business relationship with the client, or from the date of the transaction, whichever is later. The retention vault must include: signed engagement letter, CDD documentation, risk classification rationale, EDD memo where applicable, every STR and CTR filed with the FIU-IND acknowledgement, and the ongoing monitoring log.
Records must be made available to FIU-IND, the Director (Enforcement), or any other officer authorised under PMLA on request. Digital storage is permitted provided the records are retrievable in legible form and the audit trail (who accessed, when, what was changed) is preserved. Firms using reconciliation software India with multi-tenant audit trails inherit the retention discipline as a side effect — every reconciliation run, every exception note, every sign-off is timestamped and attributed.
Worked Example: 80 New Client Onboardings in a Fiscal Year
A mid-tier CA firm in Bangalore onboards 80 new clients across a fiscal year — roughly 7 per month with seasonality around April and October. The firm runs a structured PMLA assessment at engagement intake.
| Step | Owner | Time per client | Output |
|---|---|---|---|
| Intake form — five activity trigger checklist | Senior associate | 20 minutes | PMLA-in-scope flag (Yes/No) per activity |
| KYC collection — individual or entity | Article clerk | 45 minutes | PAN, Aadhaar (masked), address proof, CIN, MoA, BO declaration |
| Beneficial Owner trace — multi-layer entities | Senior associate | 60 to 180 minutes | BO chart to natural person with 10/15/25% thresholds applied |
| PEP and sanctions screening | Article clerk | 15 minutes | Screening hit/no-hit log against published lists |
| Risk classification — Low/Medium/High | Manager | 30 minutes | Classification with documented rationale |
| EDD memo for High-risk clients | Partner | 90 minutes | Source-of-funds documentation, senior partner sign-off |
| Engagement letter with PMLA clauses | Partner | 15 minutes | Signed letter with confidentiality and termination clauses |
Across 80 clients, the firm projects classification as 55 Low, 20 Medium, and 5 High risk. Standard CDD averages 2 hours per client; EDD on the 5 High-risk clients adds another 2 hours each. Total annual onboarding effort: approximately 170 partner and senior hours plus 90 article clerk hours. The investment is non-negotiable — the alternative is a PMLA enforcement notice and personal liability on the Designated Director.
Ongoing monitoring then runs across the full book. The firm reviews every Medium-risk client annually and every High-risk client semi-annually. Triggers for re-classification include change in directorship, change in business model, FATF-related jurisdictional changes, and red flags surfaced by the monthly reconciliation cycle.
Tax Overlay: PMLA Touches the TDS and Income Tax Workflows
PMLA compliance is not isolated from the firm’s tax workflow. Section 393, 394, and 413 of the Income Tax Act, 1961 (as renumbered under the Income Tax Act, 2025 effective 1 April 2026) define the firm’s reporting obligations on cash receipts and high-value transactions, which overlap substantially with PMLA’s CTR trigger of 10 lakh. The firm should align Form 61A (Statement of Financial Transactions) preparation with the CTR feed — both pull from the same client-level cash-transaction ledger.
The TDS workflow generates AML signal too. Payment codes 1001 through 1092 under the 2026 TDS migration carry counterparty information that, when reconciled against Form 26AS, can surface counterparties that do not appear elsewhere in the client’s ledger — a classic round-tripping indicator. A firm running TDS reconciliation software that surfaces these anomalies as exceptions is feeding the AML monitoring loop without additional effort.
Estimate TDS mismatches across your client book
Size the TDS variance footprint across your clients before it surfaces as a Form 26AS or AIS notice — and identify counterparty anomalies worth a closer AML look.
Open the TDS Mismatch Estimator →Continue Reading: CA Firm Cluster
A CA firm running PMLA-grade due diligence also needs the operational rhythm to actually execute it across 80 clients every month. The CA firm client reconciliation workflow India covers the onboarding-to-filing cycle that surfaces the AML triggers in the first place. Firms looking to scale the underlying platform should review reconciliation software for CA firms India and the outsourced GST compliance reconciliation India playbook for multi-tenant practice operations.
For the source notification text and the prescribed activities, see the Ministry of Finance Notification dated 3 May 2023, which formally brought CAs, CSs, and CMAs into the PMLA reporting entity perimeter.
Frequently asked questions about CA firm client due diligence and AML compliance under PMLA are answered below.