Category: Crime & fidelity · Reviewed by Jake Leat, Associate Director · Last reviewed 2026-06-05
Funds transfer fraud cover (FTF) is the section of commercial crime insurance responding to loss caused by fraudulent electronic instructions to a financial institution (typically the insured’s bank) to transfer money from the insured’s account, distinct from but overlapping with computer fraud cover and social engineering fraud cover.
Category: Crime and fidelity Also known as: FTF cover, funds transfer fraud section, Insuring Clause H (in Lloyd’s BBB wording) First codified: Lloyd’s wordings from c.1990s as electronic banking became widespread Related legislation: Computer Misuse Act 1990 [1]; Fraud Act 2006 [2]; Payment Services Regulations 2017 [3]; Insurance Act 2015 [4]
Funds transfer fraud cover responds to financial loss arising when an unauthorised actor causes the insured’s bank or other financial institution to transfer money from the insured’s account. The classic scenario involves fraudulent instructions sent to the bank — historically by forged paper instructions, increasingly by electronic instructions through online banking, SWIFT or similar payment channels — purporting to be from the insured but in fact originating from an unauthorised actor [5][6].
The cover responds for the insured’s loss from the unauthorised transfer, subject to policy limits and conditions. The ‘discovery basis’ typical of crime insurance applies: the loss must be discovered during the policy period, with retroactive provisions for losses arising from acts committed before but discovered during the policy period [5][6].
The boundary with computer fraud cover requires careful analysis. Computer fraud typically involves manipulation of the insured’s own systems to cause an unauthorised transfer (the insured’s payment system is compromised); funds transfer fraud typically involves a fraudulent instruction to a third-party financial institution to transfer from the insured’s account (the bank receives the fraudulent instruction). The fact patterns can overlap and policies often include both sections to ensure cover [5][6].
The boundary with social engineering fraud cover is also important. Social engineering fraud typically involves the insured itself being induced by impersonation to authorise a transfer; funds transfer fraud typically involves the bank acting on fraudulent instructions without the insured’s authorisation. The ‘authorisation’ point is critical: if the insured authorised the transfer (even if induced by fraud), the transfer is not ‘unauthorised’ for funds transfer fraud cover purposes and social engineering fraud cover is engaged instead [5][6].
The substantive criminal law underlying funds transfer fraud cover is set by the Fraud Act 2006 (section 2 fraud by false representation), the Computer Misuse Act 1990 (where the fraud involves computer system access) and the Forgery and Counterfeiting Act 1981 (where forged instructions are involved). The interactions between these statutes can be complex in fact patterns involving multiple criminal acts [1][2][7].
The Payment Services Regulations 2017 (implementing the EU Second Payment Services Directive, PSD2, as retained UK law post-Brexit) impose obligations on banks and payment service providers in respect of unauthorised payment transactions. Regulation 76 entitles a payer to refund of an unauthorised payment from the payment service provider, subject to defences for the payer’s gross negligence or fraud. The interplay between PSR 2017 entitlements and funds transfer fraud cover requires careful management — the insurer typically expects the insured to pursue any PSR-based refund before claiming under the policy [3][8].
The Insurance Act 2015 governs the duty of fair presentation for funds transfer fraud insurance placements. Disclosure of payment system arrangements, internal control structures, prior incidents and high-risk operations is important [4].
The Data Protection Act 2018 (UK GDPR) and the Network and Information Systems Regulations 2018 may apply to funds transfer fraud events depending on the data and infrastructure affected [9].
The Banking Conduct of Business sourcebook (BCOBS) in the FCA Handbook governs the conduct of banks toward their retail and small business customers, with provisions affecting the bank’s response to unauthorised transactions. The Authorised Push Payment (APP) fraud reimbursement scheme, made mandatory for most banks from October 2024 under PSR 2017 amendments, addresses certain social engineering and related frauds with consumer reimbursement obligations [8].
Funds transfer fraud cover is typically written as a section of commercial crime insurance or banker’s blanket bond. For commercial operators, the cover is typically at limits aligned with the broader policy structure. For financial institutions, the cover is integrated into the BBB at substantial limits reflecting the volume of payment transactions [5][6].
Underwriters assess funds transfer fraud risk based on the insured’s payment arrangements, internal control structures (authorisation requirements, dual signing, segregation of duties, verification procedures), prior incidents, the specific payment systems and applications used, and the cyclical state of the market. Premium reflects the bespoke risk and broader market dynamics; the cover has hardened significantly since c.2018 reflecting growth in payment-related fraud [5][6].
Claims handling for funds transfer fraud events involves immediate banking channel response (attempting to recall or freeze the fraudulent transfer through the banking system), forensic investigation, banking channel recovery efforts (which can be effective for fraudulent UK domestic transfers if identified within hours but become rapidly ineffective for international transfers), notification to Action Fraud and law enforcement, and (where personal data is involved) notification to the ICO [5][6].
The PSR 2017 refund framework is the first port of call in many cases. Where the bank refunds the fraudulent payment under the PSR regime, no insurance loss arises. Where the bank declines refund (typically on the basis of the insured’s gross negligence in authorising or failing to prevent the fraud), the insurance cover responds for the unrecovered loss, with the insurer often actively engaged in any subsequent dispute with the bank [5][6].
Standard funds transfer fraud: cover for fraudulent transfers from the insured’s account.
Customer funds transfer fraud: cover (within financial institution policies) for fraudulent transfers from customer accounts where the institution is responsible.
Wire fraud: alternative US-market terminology for the same concept.
Authorised push payment (APP) fraud: variant of social engineering fraud where the victim is induced to authorise a payment (typically dealt with under social engineering fraud cover rather than funds transfer fraud cover).
Cheque fraud: traditional version covering forged or altered cheques (typically within the broader forgery section of the crime policy).
Combined computer-enabled fraud cover: integrated cover for funds transfer fraud, computer fraud and social engineering fraud within a single section.
Sub-limited funds transfer fraud: where the cover is at a substantially lower sub-limit than the broader crime cover.
Financial institution funds transfer fraud: enhanced cover for banks within the BBB structure.
A UK mid-market business places commercial crime insurance with funds transfer fraud cover of £5m and a deductible of £25,000 per occurrence. The policy includes a condition requiring dual authorisation for transfers above £50,000. During the policy year, fraudulent SWIFT instructions purporting to be from the company’s CEO are sent to the company’s bank, instructing transfer of £1.2m to an overseas account. The bank processes the transfer in breach of the dual-authorisation requirement that should have applied. The fraud is detected within 36 hours and the bank recovers approximately £400,000 through international banking channels. The balance of £800,000 is paid under the funds transfer fraud cover, with the insurer pursuing the bank for breach of its own internal controls. Figures in this example are illustrative.
This entry is part of the Apex Insurance Wiki. Last reviewed by Matt Bartlett on 2026-06-05. Next review: 2026-12-05.
Apex Insurance Brokers Limited. Authorised and regulated by the Financial Conduct Authority, FRN 724952. Registered in England and Wales, Companies House 07014570. This entry provides general information about UK insurance concepts and is not regulated advice. Consult your insurance broker on your specific position.
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quote