Skip to main content
main content, press tab to continue
Article

Analyzing fintech crime risks through insurance claims: A data-driven approach

By Anthony Rapa | February 4, 2025

What can claim data tell us about the differences between fintech and traditional financial institutions risks?
Financial, Executive and Professional Risks (FINEX)
N/A

In the first part of our series, we examined the cyber risks faced by fintechs through insights from WTW’s claims database. In this installment, we turn our focus to crime, an important but often overlooked risk in the fintech world.

While crime doesn’t always command the same attention as cyber threats, understanding its nuances is crucial for fintech firms operating in an increasingly complex environment. Crime in the fintech sector isn't just about financial loss; it affects operational integrity and client trust. Fintech companies, with their diverse range of services and digital-first approaches, face unique challenges that differ from those of traditional financial institutions. By analyzing WTW’s claims data, we can shed light on these challenges and explore ways fintechs can better match their insurance coverage to their risks.

Examining crime claims in fintech

Claims made against crime policies account for 8% of all notifications made by fintechs in WTW’s database, placing it third behind cyber (41%) and E&O (32%) [1]. Comparing fintech to other financial sectors, we see:

  • Retail banks: Crime claims represent 41% of notifications, the largest category for this sector
  • Wealth advisors and asset managers: Crime claims account for 4% and 3% of their notifications, respectively
  • Insurance companies: Crime claims make up about 7% of their notifications

While this might suggest that crime is a less significant concern, this figure alone doesn't tell the whole story. “Fintech” is an umbrella term encompassing a wide array of companies engaged in different financial activities, from payment processors and online lenders to wealth tech and insurtech firms. The types and frequencies of crime exposures can vary significantly across these sub-sectors.

The variety of business models and operational structures within the fintech world means that crime risks can differ markedly from one fintech firm to another. For instance, a payments company might be more susceptible to electronic theft and social engineering, while a wealth tech firm might encounter different challenges. Additionally, how fintechs classify and report crime incidents can influence these statistics. Many crime-related events, especially those involving social engineering, might be reported under cyber policies rather than crime policies, potentially understating the true extent of crime exposures when looking solely at crime claim notifications.

The key takeaway here then is that fintechs should take care to understand their unique risks before determining their crime insurance needs. Particularly for growing firms, who often purchase insurance limits based largely on the contractual requirements imposed on them by investors and business partners, do not assume that the minimum amount is enough. Moreover, 8% of gross notifications are nothing to sneeze at – a good reminder that no matter how innovative your platform or business model, no firm is immune to financial crime.

More to the story

But does the 8% notification to crime policies really tell us the whole story? As noted above, the lower incidence proportionally of reported claims to crime policies may be partially attributable to how insurers cover modern financial crime risks.

Though beyond the scope of this article, the use of computers to perpetrate financial fraud has been a growing problem since at least the 1980’s. With the ever-growing sophistication of global computer networks, crime risks increasingly blur the lines between different insurance products. This reality becomes clear when we break down the single largest source of fintech claims – “external fraud [2].”

Within this broad category of loss, we see several events for which crime policies are simply not intended to provide coverage. Data breaches, for example, though quite literally criminal acts, are typically covered under cyber policies. Others, such as theft of money, generally fit squarely within the coverage grants of most crime policies.

However, some events, such as social engineering, might straddle insurance policies, depending on the facts presented. Take, for example, an all-too-common social engineering claim scenario where an employee is tricked into downloading malware to a firm’s network, providing wrongdoers with backdoor access. Using that access, wrongdoers can transfer money out of a firm’s bank accounts to their own. Such a scenario might present both cyber insurance loss (breach investigation and associated remedial costs) and crime (theft of money).

On the whole then, the 8% notification figure likely underrepresents the number of financial fraud claims being made by fintechs because the risk is no longer covered purely by crime policies. WTW’s Cyber Crime Taskforce has written extensively about the coverage challenges presented by modern fraud scenarios, but it is interesting to see it play out in reported claim data as well.

The main takeaway here is that modern financial fraud cannot be covered simply by purchasing a crime policy. There is certainly a temptation, particularly when contractual covenants are involved, to purchase what is required and to move on. But the reality is that proper coverage requires specialized expertise and a technical understanding of policy language and coordination. While this might seem tedious, the alternative might be having to tell leadership, business partners, or customers that the insurance cover you thought you had wasn’t there when you need it.

Internal fraud: Lower incidence but not to be overlooked

Lost in the ongoing wave of social engineering claims plaguing the entire financial services sector is the reality that internal threats continue to be the main severity driver of fraud claims.

Comparing internal and external theft and fraud

Comparing internal and external theft and fraud
Internal theft and fraud External theft and fraud
Average cost $1.9 million $1.2 million
Median cost $444,000 $109,000
Largest single loss $110 million $108 million
Average duration 586 days 70 days
Average discover time 72 days 31 days
Most frequent event Misappropriation Theft/burglary
Most severe event (average) Computer fraud Computer fraud

However, the claims data[3] indicate that fintechs report notably low levels of internal fraud — less than 6% of reported claims — compared to traditional financial institutions, where internal fraud accounts for 31% of reported fraud claims and 42% of insurer payments. This lower incidence may be attributed to several factors:

  • Digital-first infrastructure: Fintechs often use platforms built with strong internal controls, reducing opportunities for insider threats
  • Advanced monitoring and analytics: Leveraging technology for real-time monitoring can detect anomalies indicative of internal fraud more effectively
  • Organizational culture: As newer companies, fintechs may foster cultures that emphasize transparency and ethical behavior

While these factors may contribute to fewer reported claims, internal fraud remains a major risk that cannot be ignored. For growing firms, the absence of sophisticated controls or limited experience in enforcing them can create vulnerabilities. As these companies scale, implementing robust internal controls and fostering a culture of accountability becomes essential to safeguard against potential insider threats. Ensuring that fraud detection measures evolve alongside the firm’s growth is key to mitigating this persistent risk.

Addressing the risks

Incredibly, and despite the data, many fintech firms treat crime risk as a secondary or even tertiary concern. This is often due to a mistaken belief that their platform is somehow unique enough to prevent fraud, or worse, that because they’ve never experienced a loss before, that’s proof enough of the strength of their controls. Both conclusions are obviously incorrect, and the data supports this.

Recognizing the risk for what it is, some considerations for fintech firms to properly manage their crime risks include:

  • Assessing individual risk profiles: The “fintech” industry is a collection of firms often engaging in very different businesses. Don’t rely on broad “fintech industry” benchmarking or contractual minimums in determining the right insurance limits for your firm.
  • Coordinating insurance coverage: It takes careful coordination of crime and cyber insurance to properly cover modern financial crime risks. Seek advice from experts and brokers familiar with the technical nuances, not someone simply intent on placing a policy and moving on.
  • Staying proactive against emerging threats: Regularly update risk management strategies to account for evolving criminal tactics. Particularly in the age of AI, where deepfake-enabled loss scenarios have already led to insurer payouts, firms must stay vigilant. Adopting advanced detection tools, training employees to recognize manipulation and coordinating closely with insurers on emerging threats are essential steps to mitigate the impact of increasingly sophisticated fraud schemes.
  • Maintaining robust internal controls: Across all subindustries of the financial services world, the most severe claims continue to be those involving internal actors. Nobody knows your controls better than your own employees, and fintechs, particularly new and growing firms, should take care to implement, test and update strong internal controls to prevent unexpected surprises.
  • Consider specialized solutions: Insurance markets have been slow to respond to the ever-growing relationship between cyber and crime insurance. While solutions do exist in the market to add some element of crime cover to cyber policies, this one size fits all approach may not be sufficient for all firms and, depending on one’s unique risks, may still present coverage gaps. WTW continues to focus on creating bespoke solutions for the modern complexities of financial crime, such as the CyFI product, which is designed to fill in the potential gaps between traditional crime and cyber policies (even those containing social engineering or computer crime coverages).

By focusing on these areas, fintechs can enhance their resilience against financial crimes and safeguard their operations and client trust in an increasingly complex landscape.

Conclusion

Crime is a critical risk for fintechs, manifesting differently than in traditional financial institutions. While the overall number of reported claims might be lower, that does not mean that the risk is any lower. Rather, the digital-first nature of fintechs means that actually, from an insurance coverage perspective, fintech claims often straddle insurance products, requiring a nuanced understanding of coverage to properly address the risk.

The industry's diversity means that understanding specific exposures is essential. By recognizing how modern threats like social engineering challenge traditional insurance categorizations, fintech firms can take steps to ensure they are adequately protected.

Footnotes

  1. Based on claims reported by clients from 2007 to January 2024 are included in this report. All claims that we have analysed are included in the calculation for the average claim settlement, the determination of the largest loss and the loss amount distribution chart. However, due to the distorting impact of very large losses, we remove “outliers” from the other charts within the report. Return to article
  2. See footnote 1 Return to article
  3. Based on claims reported by clients from 2007 to January 2024 are included in this report. All claims that we have analyzed are included in the calculation for the average claim settlement, the determination of the largest loss and the loss amount distribution chart. However, due to the distorting impact of very large losses, we remove “outliers” from the other charts within the report. Return to article

Author


Fintech Subvertical Leader, Financial Institutions & Professional Services – North America

Contacts


Trenton McNee
FinTech and Digital Assets Industry Leader, FINEX Financial Institutions, GB

Global Head of FINEX Financial Institutions Willis Canada Inc.
email Email

Contact us