Financial institutions, including banks, mutual funds and investment advisers, are facing an onslaught of modern threats. But for many, Chubb’s Ayo Oshodi argues, the fidelity bonds they use to mitigate risk are far from modern.
Consider the following scenarios:
- A panicked client calls his asset manager after seeing online that most of his seven-figure account has been withdrawn without his knowledge. A criminal had compromised the client’s email account and submitted a transaction request form to the asset manager that appeared legitimate.
- An investment adviser onboards a new client and indicates several investments were being made on the client’s behalf. A year later, the market hits a downturn, and the client tries to move the funds, but they are gone. They were stolen by the investment adviser, and the investments were never made.
- Criminals gain remote or physical access to ATMs and introduce “jackpotting” malware that enables accomplices posing as customers to drain all of the cash in the machines.
These schemes and many more like them represent real risks to financial institutions today. However, the unfortunate reality is that they are not typically covered by common fidelity bonds available in the market.
Regulations governing bonds outdated
The primary reason that traditional financial institution fidelity bonds are out of sync with the current risk environment is that the regulations setting bond requirements for institutions — ranging from banks, investment advisers and broker-dealers to asset managers, retirement plan managers and insurance companies — are woefully out of date.
For example, the Investment Company Act of 1940 established bonding requirements that still govern firms like mutual funds. ERISA retirement plan bonding requirements have their roots in the Welfare and Pensions Disclosure Act of 1958.
As a result, these regulations reflect the schemes of those eras, such as employee dishonesty and forgery. Risks that generate a sizable share of these losses today — social engineering and other computer-related crimes — simply could not have been contemplated back then.
In addition, the scale of potential risks has grown far beyond the regulatory compliance limits established decades ago. For instance, the ERISA bonding requirement for an entire retirement plan is generally capped at $500,000 for most plans, an amount that may now be an insignificant percentage compared to the sheer size of most plans.
It is surprising to many that investment advisers have no requirement to carry a fidelity bond at all, creating more potential exposure for these firms, their clients and other partner institutions. Certain brokerage firms are recognizing the potential risk and have begun requiring their partner adviser firms to buy an appropriate fidelity bond, but such requirements are far from universal.
As a result, compliance managers who are focused solely on remaining compliant with these regulations are likely missing major exposures that could put their institutions at significant risk.
Electronic fraud risk escalating
Financial institutions face increasingly frequent risks from modern electronic fraud schemes, including the theft of funds caused by an unauthorized access into the firm’s computer system, fraudulent funds transfer instructions and the social engineering of customers, executives and vendors.
Expanded connectivity of computer networks and systems provides additional avenues for hackers to gain access to a financial institution’s systems, including those hosted by third-party cloud service providers.
Social engineering typically leverages the widespread use of email, which provides criminals with cheap and efficient means of targeting victims. Whether by “spoofing” email accounts of trusted persons or breaching business partners’ email systems, criminals continue to successfully deploy social engineering schemes, catching even well-intentioned employees with deceitful emails, particularly those involving electronic payment instructions. Today’s criminals are employing more sophisticated social engineering attacks that are designed to manipulate a sender’s identity, intercept important messages and send messages that appear authentic to recipients.
The FBI estimates that more than $43 billion was exposed to email fraud from mid-2016 through 2021, with a per-incident average of more than $175,000. The bureau also noted a 65% increase in identified global exposed losses since 2019, which it partly attributed to pandemic restrictions that caused more organizations to conduct operations virtually. Increased remote work and digital adoption by companies have greatly expanded the points of vulnerability for fraudulent activity.
In recent years, banking moved into the top three industries likely to be targeted by brand phishing schemes, where criminals impersonate leading brands and acquire their customers’ personal information, then use those credentials to steal funds.
Although financial losses stemming from computer hacks, social engineering and phishing schemes, fraudulent fund transfers and even ATM jackpotting are more likely than ever, common financial institution bonds are not typically written to cover those types of losses.
Closing the risk gap
There are several steps you can take to help protect your institution against the full range of financial crime risks. A good place to start is connecting into your firm’s enterprise risk management process to help form a complete picture of your firm’s compliance and contemporary technology-oriented exposures.
An important part of that effort is identifying ways to help reduce or eliminate potential losses. Among the best practices for defending against social engineering fraud attempts are verifying payment details by phone, requiring several employees to review transactions and account changes, using secure email and enabling multi-factor authentication wherever possible.
Another key to addressing risk gaps is reviewing your current fidelity bond to confirm whether it includes language granting coverage for the newer exposures. Bonds should be tailored for the unique risk exposures that face your specific type of institution.
Taking a proactive approach with identifying your firm’s full risk scope from compliance and modern fraud exposures, implementing measures to reduce them and evaluating and updating your financial institution bond coverage, will give your firm the best chance of limiting the impact of controllable fraud risks.