Ask the CFO of a community bank who handles their insurance and you’ll often hear: “We’re good. We’re on the ABA program” or “We use Travelers through ICBA.”
These aren’t bad answers. Industry-specific programs, endorsed by associations, exist for a reason. Some were created decades ago to solve real market failures, and they did. They’re tailored to the risks the industry faces, they aggregate buying power, and they simplify things down to a single carrier relationship instead of three or four separate ones.
But after auditing these programs I’ve also found the flipside: structural gaps in the standard forms that affect every bank on that program simultaneously. A gap in the form is a gap in every bank on the program.
And nobody is auditing these forms. Not the banks, not the brokers, not the associations that endorsed them years ago. The renewal goes through, the standard forms stay unread, and the rebate check arrives every year.
How the Programs Work
Endorsement: ABA + state associations
Scale: ~1,600 banks
Endorsement: ICBA
Scale: ~1,200 banks
Endorsement: CUNA
Scale: ~4,300 credit unions
Together, these programs cover the majority of US community banks and credit unions.
The programs bundle the core policies a financial institution needs: cyber, fidelity bond, D&O, and several liability coverages. They offer financial incentives and they’re endorsed by associations the financial institution trusts.
This is why banks stay. The relationship, the comfort of knowing thousands of other banks made the same choice, the rebate. Switching means disrupting the broker relationship and explaining to the board why you moved away from the association-endorsed option.
None of that tells you whether the coverage is adequate.
Where the Gaps Hide
In addition to auditing individual policies, I started auditing the programs themselves. Here are some of the structural issues I see.
Wire Fraud Coverage: Not Where You Think
On one program, the cyber policy contains no wire fraud or social engineering coverage. All of that sits on the bond.
That’s not inherently a problem. If the bond’s Funds Transfer Fraud and Social Engineering riders are in place and properly structured, the bank has coverage. The issue is that many banks on this program don’t know their cyber policy doesn’t cover wire fraud. They assume it does. And the bond riders that do cover it are optional, not included by default. If they weren’t purchased, or if the bank didn’t follow the verification procedures the bond requires, the claim gets denied.
Some programs put electronic crime coverage on both the cyber and bond sides for layered protection. That’s worth knowing when you compare programs.
The D&O Cyber Exclusion
One program’s D&O form contains what I consider among the broadest cyber exclusions in the bank D&O market. It blocks all D&O claims “arising out of or in any way involving” cyber banking services, electronic funds transfers, privacy and security regulations, or cyber publishing.
What this means in practice: after a data breach, the board and individual directors have zero D&O coverage for a regulatory investigation into cyber oversight failures. The cyber policy covers breach response costs. But if the regulator investigates whether the board met its oversight obligations, or names an individual director for failure of duty of care, that’s a D&O matter, and the D&O policy excludes it because it “involves” a cyber event.
Credential-Based Fraud Falls Between Policies
A customer gets phished. Their credentials are stolen. A fraudster uses those real credentials to log into the bank’s system and transfer funds.
On one program:
- The cyber policy says no: the credentials were stolen from the customer, not from the bank’s own system, so the loss is excluded
- The fidelity bond says no: the person who logged in had valid credentials, so the access was “authorized,” so the loss is excluded
The customer’s credentials were real. The access was authorized. The fraud was real too. But neither policy covers it because each one points to a different reason the loss is excluded.
This isn’t a rare scenario. It’s how most credential theft at banks works. And on this program’s standard forms, it falls between two policies with zero coverage.
The Deepfake Channel Gap
One program’s bond covers Funds Transfer Fraud across five defined communication channels: electronic/online communication, voice (telephone), fax, email, and software contractor communication.
Notice what’s missing. A CFO gets a Zoom call from someone who looks and sounds like the CEO, instructing an urgent wire transfer. That’s a deepfake video call, and these are increasingly easy to produce. It’s not a telephone call. It’s not a fax, not email, not the bank’s own electronic system. It doesn’t clearly fit any of the five defined channels.
Why Nobody Catches This
Three reasons:
The association endorsement creates comfort. “The ABA reviewed this” is what every bank assumes. But the ABA endorses the program. It doesn’t audit the coverage gap by gap against modern fraud vectors.
Standard forms don’t get reviewed. When a broker places a bank on a program, the forms are standard. There’s nothing to negotiate on the base form. The broker’s value is in selecting which optional riders to add, not in line-by-line form review. Many banks are never told which riders exist, let alone which ones they skipped.
The rebate discourages questions. A bank receiving a profit-sharing check every year has no economic incentive to examine whether the underlying policy forms are adequate. Questioning the program means risking the distribution.
The Fix Is Not Switching Programs
I don’t tell banks to leave their program. The programs have real strengths: single-carrier coordination, administrative simplicity, decades of claims history with the carrier.
The fix is understanding what the standard forms do and don’t cover, then closing the gaps that matter.
What to Ask Your Broker This Week
Before your next renewal, ask your broker these questions:
- Does our cyber policy include Funds Transfer Fraud / Social Engineering coverage, or is that only on the bond?
- Does our D&O have a cyber exclusion? If so, does it apply to regulatory investigations after a data breach?
- If a customer’s credentials are stolen and used to transfer funds, which policy responds?
If your broker can’t answer these without checking, that’s not a criticism of the broker. It’s evidence that nobody has read the standard forms.
For more on how wire fraud specifically falls between the bond and cyber policy, see The Wire Nobody Covers. For the fidelity bond conditions that most banks have never checked, see What Your Fidelity Bond Won’t Pay.
A Risk Intelligence Report audits your program’s standard forms against your bank’s operations and regulatory requirements. It identifies the gaps, scores their severity, and tells you which ones to fix first. Get in touch.
