Wire fraud has become one of the most significant threats facing community banks in the last few years. Wire transfers used to be seen as an efficient and secure way to transfer funds from one account to another. However, because the transfers generally take place almost instantly, fraudsters are focusing their attention on ways to access customer account information to initiate wire transfers, and as a result, wire transfer fraud and resulting losses have increased significantly. 

There are many methods through which fraudsters attempt to gain this information, including phishing attacks, impersonation and social engineering, malware and trojan horses, and fake charities and investment schemes. Still, one of the most common is through business email compromise. Business email compromise occurs when the fraudster gains access to a business’s email system and then, impersonating an employee of the company, submits a wire transfer request to the bank through the compromised email. While banks should ensure they are following their policies and procedures to verify the wire transfer request, including established security procedures such as a call back to the customer, it is expected that mistakes may still happen. However, what is not expected is that the bank’s insurance company, from whom the bank obtained an insurance policy to cover these types of losses, is denying coverage. The reasons for denial are even more surprising.

An increasingly common reason for denial is that the bank does not have a “written agreement” with the customer. While the bank likely does actually have a wire transfer agreement with the customer, especially for a business customer, if the agreement does not meet the requirements of what the insurance company states is a “written agreement,” the claim will be denied because it does not have a “written agreement.” In order to meet the definition of a written agreement under many insurance policies, the agreement must (a) be written, (b) authorize the bank to rely on email, voice, online or fax instructions from the customer to transfer funds, (c) include the names of the people who are authorized to initiate transfers or validate transfer instructions, including their phone numbers and email addresses, (d) a definitive and clear commercially reasonable procedure that will be used by the bank to verify all transfer requests, and (e) state that the bank will not act upon a request if (i) the bank is unable to obtain proper and satisfactory verification of the transfer instructions, (ii) there is inconsistency between the instructions and information previously supplied to the bank by the customer, (iii) instructions are not submitted in accordance with the bank’s established security procedures, and (iv) instructions are suspected by the bank to not be genuine.  

It is crucial that your bank review its wire transfer agreement to ensure it meets the above requirements and the requirements of your insurance carrier. For example, when describing the security procedures to be used by the bank to verify the wire transfer request, a statement that “the bank may verify the request by performing a call back …” will likely result in denial of coverage because of the use of the word “may.” Insurance companies are stating that the use of the word “may” is not definitive — the bank may or may not perform a callback. Even if the bank performs the callback in accordance with the procedures, the agreement will not meet the definition of a written agreement in the insurance policy and coverage will likely be denied.

Insurance companies are also denying coverage if the wire instructions come from someone other than an individual listed in the wire transfer agreement, even if the initial request came from a named and authorized individual. For example, in a situation where the CEO is the individual authorized to make a wire transfer request but the CFO has the account information for the payee because it is the one in receipt of an invoice, even if the CEO sends an email to the bank requesting the transfer and then requests the CFO to provide the wire details, the bank’s acceptance of the wire details from the CFO will likely result in denial of coverage because the CFO is not a named and authorized individual in the wire transfer agreement. More simply, the bank cannot accept wire instructions or wire details from any individual other than an individual named in the wire transfer agreement, even if that individual did not make the actual wire transfer request. 

These reasons for denial are surprising to many banks who believe they have a thorough agreement and appropriate procedures in place. However, given the significant increase in wire transfer fraud and resulting insurance claims, insurance companies are strictly enforcing the terms of insurance policies. To avoid any surprise claim denial, your bank should review its insurance policies with its legal counsel to confirm the requirements for coverage, as well as its wire transfer agreement and procedures to ensure they meet the policy requirements. Failure to do so could result in your bank suffering a loss for which there is no insurance coverage.