We are seeing more and more funds transfer and social engineering — also known as impersonation fraud — claims, and coverage for these claim scenarios vary from carrier to carrier. While there are several differentiating factors that could cause one carrier to approve a claim and another to deny, the most common is how they structure their call back requirements.
In 2021, we watched nine different carriers respond to similar funds transfer claim scenarios. Challenges to a claim were almost always based on the bank’s perceived failure to meet the listed call back requirement. As we compare and contrast all nine, here are several key differences that should be reviewed prior to the next claim.
Social Engineering Versus Funds Transfer Fraud:
Many fidelity bond policies offer the social engineering coverage with a sub-limit versus the full limit for the funds transfer fraud coverage. As such, it is helpful to know as early as possible in the claims process which of the two coverages will be referenced. The easiest way to contrast that is that social engineering usually relates to the loss or theft of the entities own funds, whereas funds transfer fraud usually relate to loss or theft of a customer’s funds. While we have seen social engineering sub-limits as low as $50,000, the most common sub-limits are $250,000, $500,000 or $1,000,000. They are often based on the overall limits: for example, a $10 million bond is much more likely to have a $1 million social engineering sub-limit than a $2 million bond.
When Is a Call Back Required?
There is usually a dollar threshold; all transfers greater than that dollar amount require some form of call back. The larger the threshold, the better. The most common threshold matches the bond deducible, otherwise they usually range between $25,000 to $50,000.
Call Back Requirement Ranges
- No Call Back Requirements: For some cyber policies, which may extend to covering funds transfer frauds or other social engineering coverage grants, there are no call back requirements. While this does exist, it is becoming less and less available as claims increase.
- Underwriting Approved: Some bond policies include generic language that states any call back type can be accepted, as long as that type of verification was first approved by an underwriter. If your policy includes that, we suggest your bank coordinates a call with its bond underwriter to share the bank’s current call back process and procedure for their confirmation of acceptance.
- Simple Call Back: Sometimes the only requirement is a confirmed call back to a pre-determined number.
- “Or” Beats “And:” One carrier states that acceptable call back verification can be done by valid test key or call back to the person who initiated the instructions, or digital signature or use of username and password/PIN, or biometric authentication or any other recognized two-factor e-authentication.
- Singular Call Back Requirement:
- Only acceptable call back is the existence of some form of valid test key, which has been mutually agreed upon by customer and the insured.
- Some form of out of band (median difference from original request) verification (voice, email or text) to predetermined location requiring affirmative reply.
- One carrier states that the commercial customer coverage only applies if the transmittal method by which the institution received the fraudulent transfer request matched the method authorized by the commercial customer in the funds transfer agreement.
- More Stringent Multiple Requirements:
- We have seen requirements for out of band verification that must be recorded for coverage to be afforded.
- Two-factor authentication, typically representing some form of user ID, PIN, token or dual authorization, and the existence of a written agreement.
- A call back to a predetermined number set forth in written agreement and the institution preserving a recording of the call back/verification.
- Sender verified instruction with a password, PIN or code and a call back to predetermined telephone number, documented in written agreement, with verification preserved.
- Lastly, the requirement that is perceived to be the highest hurdle to get over is the requirement of some type of handwritten signature verification from two separate employees, within their authority. Note this level of stringent requirement often goes hand-in-hand with a much greater social engineering limit, including up to the full limit.
In summary, we see significant variations to call back requirements. We recommend banks review the policy language in place prior to any claim scenario to have as good a chance as possible to realize claims coverage.