For Fraud Claims, Not All Call Back Procedures Are the Same

Written by

We are seeing more and more funds transfer and social engineering — also known as impersonation fraud — claims, and coverage for these claim scenarios vary from carrier to carrier. While there are several differentiating factors that could cause one carrier to approve a claim and another to deny, the most common is how they structure their call back requirements.

In 2021, we watched nine different carriers respond to similar funds transfer claim scenarios. Challenges to a claim were almost always based on the bank’s perceived failure to meet the listed call back requirement. As we compare and contrast all nine, here are several key differences that should be reviewed prior to the next claim.

Social Engineering Versus Funds Transfer Fraud:
Many fidelity bond policies offer the social engineering coverage with a sub-limit versus the full limit for the funds transfer fraud coverage. As such, it is helpful to know as early as possible in the claims process which of the two coverages will be referenced. The easiest way to contrast that is that social engineering usually relates to the loss or theft of the entities own funds, whereas funds transfer fraud usually relate to loss or theft of a customer’s funds. While we have seen social engineering sub-limits as low as $50,000, the most common sub-limits are $250,000, $500,000 or $1,000,000. They are often based on the overall limits: for example, a $10 million bond is much more likely to have a $1 million social engineering sub-limit than a $2 million bond.

When Is a Call Back Required?
There is usually a dollar threshold; all transfers greater than that dollar amount require some form of call back. The larger the threshold, the better. The most common threshold matches the bond deducible, otherwise they usually range between $25,000 to $50,000.

Call Back Requirement Ranges

  • No Call Back Requirements: For some cyber policies, which may extend to covering funds transfer frauds or other social engineering coverage grants, there are no call back requirements. While this does exist, it is becoming less and less available as claims increase.
  • Underwriting Approved: Some bond policies include generic language that states any call back type can be accepted, as long as that type of verification was first approved by an underwriter. If your policy includes that, we suggest your bank coordinates a call with its bond underwriter to share the bank’s current call back process and procedure for their confirmation of acceptance.
  • Simple Call Back: Sometimes the only requirement is a confirmed call back to a pre-determined number.
  • “Or” Beats “And:” One carrier states that acceptable call back verification can be done by valid test key or call back to the person who initiated the instructions, or digital signature or use of username and password/PIN, or biometric authentication or any other recognized two-factor e-authentication.
  • Singular Call Back Requirement:
    • Only acceptable call back is the existence of some form of valid test key, which has been mutually agreed upon by customer and the insured.
    • Some form of out of band (median difference from original request) verification (voice, email or text) to predetermined location requiring affirmative reply.
    • One carrier states that the commercial customer coverage only applies if the transmittal method by which the institution received the fraudulent transfer request matched the method authorized by the commercial customer in the funds transfer agreement.
  • More Stringent Multiple Requirements:
    • We have seen requirements for out of band verification that must be recorded for coverage to be afforded.
    • Two-factor authentication, typically representing some form of user ID, PIN, token or dual authorization, and the existence of a written agreement.
    • A call back to a predetermined number set forth in written agreement and the institution preserving a recording of the call back/verification.
    • Sender verified instruction with a password, PIN or code and a call back to predetermined telephone number, documented in written agreement, with verification preserved.
  • Lastly, the requirement that is perceived to be the highest hurdle to get over is the requirement of some type of handwritten signature verification from two separate employees, within their authority. Note this level of stringent requirement often goes hand-in-hand with a much greater social engineering limit, including up to the full limit.

In summary, we see significant variations to call back requirements. We recommend banks review the policy language in place prior to any claim scenario to have as good a chance as possible to realize claims coverage.

10 Fraud Prevention Tips to Help Protect Your Institution

Written by

According to a recent study, organizations lose 5% of revenue to fraud each year — a staggering statistic. In an effort to help institutions decrease this percentage, here are 10 fraud prevention tips.

1. Confidential Hotline
This is the single most cost-effective anti-fraud action an institution can take. Tips via hotlines are the No. 1 way that frauds are detected, according to the ACFE 2020 Report to the Nations; most tips come from employees. We encourage banks to set up a confidential hotline operated by a third party and advertise it internally to all of their employees.

2. Fraud Awareness Training
Awareness training for employees can result in shorter duration for prospective fraudulent activities and lower losses. Institution-wide awareness is critical: Turn your employees and managers into fraud detectors and take advantage of all those eyes and ears.

3. Vendor Controls
Vendor fraud is very common because of the large number of payments going out to different companies and entities. Every company has vendors/suppliers, so it’s an easy place to perpetrate fraud. Some items to consider:

    • New vendor selection:
      1. Who can select?
      2. How are they selected?
    • Due diligence on new vendors:
      1. Is the vendor real?
      2. Is their pricing reasonable?
      3. Is the vendor related to an employee?
    • Periodically reassess vendor relationships.
    • Reduce or eliminate conflicts of interest.

4. Implement Good HR Practices
Conducting checks on candidates before they walk in the door can go a long way in preventing fraud. Additionally, having exit interviews can be a very useful tool in finding out about fraud, waste and abuse in your institution. Without the interview, exiting employees may not bother to tell you what they know.

5. Implement Mandatory Vacations
You know those employees who never take a vacation day, and if they do, they check in the whole time? It may not be because they are super dedicated. Many problems are identified during perpetrator vacations, because someone must fill in for them and perform their duties. Implementing mandatory vacations or job rotations can help identify fraudulent activities.

6. Credit Card, Expense Reimbursement Policies
Purchase and credit cards are a very common and convenient tool for committing fraud. Closely monitoring with strong controls in place is essential to reducing the risk of this type of fraud. Start with a clearly defined policy on what is and is not acceptable. Card use for “business purposes” is not good enough.

    • What types for expenses do you really want to be paying?
    • What types of expenses are not acceptable?
    • What documentation is required?

7. Fraud Risk Assessment
Similar to going to the doctor for a checkup, banks should conduct a fraud risk assessment annually or biannually. The bank changes, and with those changes come different risks. A periodic fraud risk assessment can help adapt to those changes, allow executives to understand their institution’s fraud risks and focus their efforts. This assessment should be performed by someone who looks at fraud issues on a regular basis.

8. Segregation of Duties
This can be difficult for small or growing institutions that have controls that have not kept pace with their growth. Segregating duties is not a new concept, but it’s just as critical today as any time in the past.

A few places to focus on:

      • A/P access to signed checks.
      • A/P clerks who can set up vendors.
      • Payroll clerks who can set up new employees.

9. Code of Conduct
These can seem like “soft” controls, but it is critical that an institution has these in place so employees cannot claim “ignorance” that what they were doing was wrong. Policies to consider implementing include:

    • Anti-fraud policy.
    • Conflict of interest policy.
    • Policy related to gifts and gratuities.

10. Create the Right Culture
Culture is a critical component to fraud prevention. If leadership demands and displays integrity and transparency, it typically permeates through an institution.

    • Tone is set at the top: Management must “walk the walk.”
    • Create a positive workplace environment.
    • Establish a culture of honesty and high ethics.
    • Put an emphasis on doing the right thing.

Decades of experience have taught us that even if a bank implements all the tips above, it could still become a fraud victim. Fraudsters are infinitely creative with their schemes; detecting or preventing those schemes is a never-ending task. But when taken together, these top 10 tips can still go a long way in helping your institution mitigate its fraud risk.

This article is for general information purposes only and is not to be considered as legal advice. This information was written by qualified, experienced BKD professionals, but applying this information to your particular situation requires careful consideration of your specific facts and circumstances. Consult your BKD advisor or legal counsel before acting on any matter covered in this update.

Governance, Fraud and Corporate Culture: Sorting Through a Complicated Relationship

Written by

At first glance, the relationship between an organization’s or financial institution’s fraud risk and its corporate culture might seem obvious. Even a casual observer is likely to assume that a high-pressure, results-driven organization — with a culture that tolerates or even encourages people to cut corners or find loopholes and succeed at any cost — is bound to be at greater risk of financial reporting fraud and other risks. A root cause of many major scandals or frauds is dysfunction in the organization’s culture, with recent history offering numerous examples.

However, in many cases, the links between an organization’s corporate culture and fraudulent activity are not straightforward or clear-cut. The role that an organization’s underlying culture plays in contributing to fraud risk is often subtle and difficult to quantify, just as the culture itself can be challenging to define with specificity.

The critical question is how to develop a culture that reduces the risk of fraudulent activities and encourages ethical behaviors. The first step toward addressing that question is to develop a general understanding of what corporate culture is, what factors contribute to it and the role it plays in effective risk management.

It is essential that bank executives understand the relationship between culture and leadership, along with the reasons why it needs to be managed.

Organizational Culture and Why It Matters
Today’s definitions of “organizational culture” or “corporate culture” vary widely, from simple expressions such as “the way we do things here” to more complex and technical explanations.

All variations, distinctions and definitions of “corporate culture” or “organizational culture” have one thing in common: They describe characteristics that are primarily intangible and broadly dependent on individuals’ perceptions and interpretations of events and corporate priorities. This makes it inherently difficult to measure critical aspects of the culture and even more challenging to quantify the culture’s impact on an organization’s risk profile.

Virtually all of today’s widely recognized risk management systems or frameworks recognize the implied link between organizational culture and fraud risk. Specifically, the Committee of Sponsoring Organizations of the Treadway Commission framework defines an effective control environment as one in which personnel at all levels “demonstrate a commitment to integrity and ethical values.”

Shaping Culture: Start With a Diagnosis
As tricky as defining and measuring corporate culture are, it is even harder to shape and develop it. Many would argue that an organization’s culture is not something that can be created or built. To paraphrase from an interview with MIT Sloan School of Management Professor Edgar Henry Schein, an organization’s culture is something that is learned, not created.

One measurement option is to begin with a survey of employees. In addition to blatant examples of management’s arrogance, pressure, noncompliance or lax controls, surveyors should also be alert to subtle signs that certain risky behaviors might be tolerated or overlooked, even if they are not encouraged overtly.

Developing a Positive Culture: A Balanced Approach
Whether the risks are obvious or subtle, there are many positive steps boards and executive teams can take to shape both the control environment and the organization’s broader overall culture.

The 2020 World Economic Forum paper proposes six initiatives designed to provide what it describes as “a holistic approach to organizational ethics.”

  1. Build a new vision for boards
  2. Improve organizational oversight
  3. Review mission, strategy, and purpose
  4. Identify and encourage ethical leadership
  5. Increase organizational diversity and inclusion
  6. Measure stakeholder trust

This approach is but one example of the dozens of models, methods, and frameworks available to help organizations shape and adapt their corporate cultures. Virtually all such approaches share some common themes, such as the importance of senior-level commitment to ethical behaviors and the essential value of audits and other conventional risk management tools.

Above all, any effort to mitigate the fraud risks associated with organizational culture must work proactively to engage employees — ideally through a combination of ethics and compliance training programs along with less-overt cultural outreach efforts. Ultimately, as the World Economic Forum paper notes, “creating and sustaining a strong ethical culture is the key to creating an organization that makes behaving ethically as easy as possible.”

Visit bakertilly.com for a more comprehensive discussion of the topic.