What Your Fidelity Bond Won’t Pay

Every community bank has a fidelity bond. Most boards treat it as a checkbox: we have it, it covers fraud, next agenda item.

Your carrier may call it Financial Institution Bond, crime policy, banker’s blanket bond, or just “the bond.” Regardless of the name, it’s the same product, and it works the same way: not as a blanket fraud policy, but as a collection of narrow insuring agreements, each with its own sublimit, conditions, and exclusions.

I’ve reviewed fidelity bonds for community banks and credit unions. In every one, I’ve found gaps the bank didn’t know existed. Here are the three that matter most.

The Sublimit That Doesn’t Match the Risk

Wire fraud is the most common fraud threat to community banks, and it isn’t close. Business email compromise is the costliest category of cybercrime in the country, and community banks are a primary target.

The social engineering sublimit on many fidelity bonds sits at $100,000 or $250,000. For a bank that regularly processes wire transfers in the hundreds of thousands, that sublimit can be exhausted by a single incident.

A $500,000 wire fraud loss with a $250,000 social engineering sublimit means the bank absorbs the other $250,000 out of operating income. If the bond also applies a co-payment (which many do), the bank’s share grows even larger.

This isn't a gap hiding in fine print. It's sitting on the declarations page. Most banks have never compared the number to their wire transfer volume.

The Verification Trap

Most bonds include a social engineering endorsement. This is a bank’s main defense against wire fraud on the bond. The endorsement typically requires the bank to verify transfer requests through a separate communication channel (for example, confirming an emailed instruction by phone) before sending funds above a threshold, often $25,000.

The critical question is how the bond treats a verification failure.

Same Requirement. Different Consequences.

Best Practice Framing

Verification failure reduces coverage or increases the deductible. The claim is still paid, just at a lower amount.

Mandatory Requirement

Verification failure voids the coverage entirely. The claim is denied in full. Not reduced. Denied.

One phrase in your bond determines which outcome you get. Most banks have never checked.

When verification is framed as a mandatory requirement, the bank must prove it verified correctly for every covered transfer. One missed callback, one verification to a spoofed number, one employee who skipped the step under time pressure, and the claim is void. The whole claim, not just the amount above the threshold.

When the Employee Did Everything Right (and the Bond Still Denies)

Here is the scenario that catches many banks off guard: an employee receives a spoofed email that appears to come from a commercial depositor requesting a wire transfer. The employee logs in with their own credentials, accesses the customer’s account, and initiates the transfer. The money goes to a fraudster’s account. It’s gone.

The bank files a claim under the bond. The bond denies it.

Why? Because many bonds exclude losses when the person who accessed the system had legitimate credentials. The employee had authorized access. The employee used their own login. The fact that they were deceived into misusing that access doesn’t matter to the bond.

The most common wire fraud scenario at a community bank is the one scenario most likely to be excluded.

Courts have sided with carriers on this. In 2020, a Virginia federal court ruled that a community bank employee who voluntarily initiated a wire transfer, even though the instruction was fraudulent, triggered the bond’s voluntary parting exclusion. The employee’s authority was real. The instruction was fake. The carrier didn’t pay.

What the Bond Leaves to the Cyber Policy

There are categories of loss that the fidelity bond simply doesn’t address. These aren’t gaps in the bond. They’re outside the bond’s scope entirely.

Ransomware payments. The bond’s extortion coverage typically requires threats of bodily harm or physical damage. A $500,000 ransom demand to decrypt systems or prevent a data leak doesn’t qualify. This is covered by the cyber policy’s extortion or ransomware coverage, not the bond.

Incident response costs. Forensics, breach notification, credit monitoring, regulatory reporting, legal counsel during the 36-hour FDIC/NCUA notification window. The bond pays for stolen funds (if a trigger is met). It doesn’t pay for the response. That’s the cyber policy’s job.

Knowing where the bond stops and the cyber policy starts matters because the two don’t always line up. For a detailed look at how a single wire fraud loss can fall between both, see The Wire Nobody Covers.

What to Check Before Your Next Renewal

Compare your social engineering sublimit to your wire transfer volume. If your largest single wire transfer in the past year exceeded your sublimit, you have an uninsured gap right there.

Check how your bond treats verification failures. Is it a best practice (reduced payout) or a mandatory requirement (claim denied)? One phrase determines the outcome.

Read the authorized access exclusion. If it blocks claims where the employee had legitimate credentials, your most common fraud scenario may not be covered.

Many banks think the bond covers fraud. It does, but only when the conditions are met: the right sublimit, the right verification procedure, the right type of access. Miss one condition, and the coverage doesn't pay.

If you haven’t read your bond’s social engineering endorsement, checked the sublimit against your wire transfer volume, or verified whether the authorized access exclusion applies to your operations, a Risk Intelligence Report will surface those gaps before a claim does. Get in touch.