Fund-transfer fraud - an employee deceived into paying money to a criminal, often after an email account is compromised or an invoice is spoofed - is one of the hardest losses to place cleanly across an insurance programme. It can touch professional indemnity, cyber and commercial crime cover, and each may point at the other.
Where client money is lost, the firm may owe the client the value of the missing funds. A solicitor who releases completion monies to a fraudster's account, or an accountant who acts on a spoofed client instruction, may face a claim that the firm failed to take reasonable care. That third-party liability can engage the PI policy - but many PI wordings now carry specific exclusions for the firm's own loss of funds and for fraud, so the cover is not automatic.
Where the firm loses its own money rather than a client's, PI does not respond because there is no third-party claim. First-party fund-transfer loss is the province of cyber cover, if the fraud was cyber-enabled, or of a commercial crime policy, which covers theft and social engineering more broadly. Cyber wordings differ sharply on whether social-engineering fraud is inside or outside cover, and many require a sub-limit to be selected.
Firms should not assume the bank will absorb the loss. In Philipp v Barclays Bank UK plc [2023] UKSC 25 the Supreme Court held that a bank generally owes no duty to refuse to carry out a customer's own validly authorised payment instruction, narrowing the so-called Quincecare duty in authorised push-payment cases. Recovery from the receiving or sending bank is therefore uncertain, which puts the weight back on the firm's own insurance and controls.
The reliable protection is a combination of controls and a programme where the fund-transfer exposure is deliberately placed rather than assumed. That means checking the PI exclusion, the cyber social-engineering sub-limit and any crime cover together. Apex reviews the three wordings as a set so a firm knows which policy answers a spoofed-instruction loss before it happens.
Insurers pricing this exposure look closely at the firm's payment controls, because the loss is so often preventable. The features they expect are dual authorisation for payments above a threshold, independent verification of any change to a supplier's or client's bank details using a known contact rather than the details in the request, and staff trained to treat urgency and secrecy in a payment instruction as warning signs. A firm that can evidence these controls presents a better risk and is more likely to secure meaningful social-engineering cover.
The controls matter for coverage as well as prevention. Some wordings make cover conditional on the firm having followed its own verification procedure, so a lapse can both cause the loss and defeat the claim. Apex helps clients align their payment controls with what the market expects, so the cover responds and the fraud is less likely to succeed in the first place.
Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority. Firm reference number 724952. This entry is general information, not advice on any particular policy.