For Fraud Claims, Not All Call Back Procedures Are the Same

Written by

We are seeing more and more funds transfer and social engineering — also known as impersonation fraud — claims, and coverage for these claim scenarios vary from carrier to carrier. While there are several differentiating factors that could cause one carrier to approve a claim and another to deny, the most common is how they structure their call back requirements.

In 2021, we watched nine different carriers respond to similar funds transfer claim scenarios. Challenges to a claim were almost always based on the bank’s perceived failure to meet the listed call back requirement. As we compare and contrast all nine, here are several key differences that should be reviewed prior to the next claim.

Social Engineering Versus Funds Transfer Fraud:
Many fidelity bond policies offer the social engineering coverage with a sub-limit versus the full limit for the funds transfer fraud coverage. As such, it is helpful to know as early as possible in the claims process which of the two coverages will be referenced. The easiest way to contrast that is that social engineering usually relates to the loss or theft of the entities own funds, whereas funds transfer fraud usually relate to loss or theft of a customer’s funds. While we have seen social engineering sub-limits as low as $50,000, the most common sub-limits are $250,000, $500,000 or $1,000,000. They are often based on the overall limits: for example, a $10 million bond is much more likely to have a $1 million social engineering sub-limit than a $2 million bond.

When Is a Call Back Required?
There is usually a dollar threshold; all transfers greater than that dollar amount require some form of call back. The larger the threshold, the better. The most common threshold matches the bond deducible, otherwise they usually range between $25,000 to $50,000.

Call Back Requirement Ranges

  • No Call Back Requirements: For some cyber policies, which may extend to covering funds transfer frauds or other social engineering coverage grants, there are no call back requirements. While this does exist, it is becoming less and less available as claims increase.
  • Underwriting Approved: Some bond policies include generic language that states any call back type can be accepted, as long as that type of verification was first approved by an underwriter. If your policy includes that, we suggest your bank coordinates a call with its bond underwriter to share the bank’s current call back process and procedure for their confirmation of acceptance.
  • Simple Call Back: Sometimes the only requirement is a confirmed call back to a pre-determined number.
  • “Or” Beats “And:” One carrier states that acceptable call back verification can be done by valid test key or call back to the person who initiated the instructions, or digital signature or use of username and password/PIN, or biometric authentication or any other recognized two-factor e-authentication.
  • Singular Call Back Requirement:
    • Only acceptable call back is the existence of some form of valid test key, which has been mutually agreed upon by customer and the insured.
    • Some form of out of band (median difference from original request) verification (voice, email or text) to predetermined location requiring affirmative reply.
    • One carrier states that the commercial customer coverage only applies if the transmittal method by which the institution received the fraudulent transfer request matched the method authorized by the commercial customer in the funds transfer agreement.
  • More Stringent Multiple Requirements:
    • We have seen requirements for out of band verification that must be recorded for coverage to be afforded.
    • Two-factor authentication, typically representing some form of user ID, PIN, token or dual authorization, and the existence of a written agreement.
    • A call back to a predetermined number set forth in written agreement and the institution preserving a recording of the call back/verification.
    • Sender verified instruction with a password, PIN or code and a call back to predetermined telephone number, documented in written agreement, with verification preserved.
  • Lastly, the requirement that is perceived to be the highest hurdle to get over is the requirement of some type of handwritten signature verification from two separate employees, within their authority. Note this level of stringent requirement often goes hand-in-hand with a much greater social engineering limit, including up to the full limit.

In summary, we see significant variations to call back requirements. We recommend banks review the policy language in place prior to any claim scenario to have as good a chance as possible to realize claims coverage.

Questions to Ask About Internal Fraud: A Bank Director’s Guide

Written by


internal-fraud-12-7-15.pngAmong the many threats to shareholder value that bank directors must address, the risk of internal fraud is among the most challenging. Virtually all bank directors recognize their obligation to actively oversee the way the bank monitors its employees to mitigate the risk of fraud, but most directors also understand the need to avoid micromanaging day-to-day operations.

Treading the fine line between oversight and overstepping can be difficult. Often it means learning to ask the right questions of the right people, particularly of the bank’s senior management team.

Because every bank’s risk profile is unique, no single list of questions can fit every institution. Nevertheless, it is possible to outline some broad principles and useful questions within three general areas of strategic, board-level concern.

Corporate Governance
Major corporate governance elements related to internal fraud comprise management and oversight of the organization including the bank’s published code of conduct, written ethics policy, fraud policies and procedures, and loss reporting practices. Board members should exercise direct and active oversight of these components and be prepared to ask management a broad range of questions, including:

  • How frequently are our code of conduct and ethics policies reviewed and updated?
  • In addition to introducing our ethics policies during new employee training, how else—and how often—are these policies communicated and reinforced?
  • How are fraud losses identified, tracked and reported to the board? Are board members and executives regularly briefed on current fraud issues and trends by the appropriate managers?
  • Are employees able to report suspicious behavior outside the day-to-day management structure, or are they able to report it only through their immediate superiors?
  • Has the bank established a whistleblower hotline that allows employees to report suspected fraud anonymously?
  • How is hotline activity measured and tracked? How is the program’s effectiveness measured and evaluated?
  • How often is the whistleblower hotline publicized and reinforced in regular employee communications?

The Control Environment
The next broad area of board concern, the control environment, addresses the various tools, processes, and other components that implement the fraud policies prescribed by corporate governance. Issues of strategic-level concern in this area tend to revolve around training, accountability, and equitable treatment, as well as the effectiveness, efficiency and reliability of fraud reporting practices. Useful control environment questions for board members to ask include:

  • How is fraud awareness training being provided throughout the organization? Is awareness training tailored to each line of business?
  • Beyond awareness, do employees receive training on ethics, fair service and honest dealing?
  • Are employees being trained on specific anti-fraud practices and controls? Once trained, are they held accountable?
  • Are fraud policies implemented and enforced consistently and fairly? Are senior-level or revenue-producing personnel subject to the same enforcement as junior or administrative staff members?
  • Are anti-fraud controls consistently monitored and tested as part of the internal audit function?
  • Do employees know how to report fraud?

Incident Management and Response
The board of directors has primary responsibility for seeing that there is a defined structure and process for responding to fraud-related incidents and issues, including clearly defined roles and responsibilities. It is important that incident response protocols are applied consistently across the institution, rather than allowing each line of business to pursue its own course. To carry out this responsibility, directors should be prepared to ask questions such as:

  • Is there a high-level, organization-wide policy regarding incident management? Does it set forth adequate protocols including all relevant legal, reporting and regulatory requirements? Is the policy regularly reviewed and updated?
  • Who is the designated management-level employee with the authority to manage and administer fraud investigations and responses?
  • Has management taken adequate steps to support this employee with an appropriate team involving legal, human resources, internal audit, information technology and other departments?
  • Is there adequate oversight to allow fraud inquiries to proceed without interference from the affected lines of business?
  • Does the board receive regular briefings on material issues of fraud or fraud management?
  • How does the organization learn and evolve based on industry events and previous large incidents of fraud?

The scope of a director’s responsibility extends far beyond these three general areas alone, but starting with these broad topics can help board members maintain their focus at the strategic level while still posing challenging questions. In addition to establishing the appropriate “tone from the top,” such questions can help guide the management team toward more active and effective management of internal fraud risk.