In the first part of our series, we examined the cyber risks faced by fintechs through insights from WTW’s claims database. In this installment, we turn our focus to crime, an important but often overlooked risk in the fintech world.
While crime doesn’t always command the same attention as cyber threats, understanding its nuances is crucial for fintech firms operating in an increasingly complex environment. Crime in the fintech sector isn't just about financial loss; it affects operational integrity and client trust. Fintech companies, with their diverse range of services and digital-first approaches, face unique challenges that differ from those of traditional financial institutions. By analyzing WTW’s claims data, we can shed light on these challenges and explore ways fintechs can better match their insurance coverage to their risks.
Claims made against crime policies account for 8% of all notifications made by fintechs in WTW’s database, placing it third behind cyber (41%) and E&O (32%) [1]. Comparing fintech to other financial sectors, we see:
While this might suggest that crime is a less significant concern, this figure alone doesn't tell the whole story. “Fintech” is an umbrella term encompassing a wide array of companies engaged in different financial activities, from payment processors and online lenders to wealth tech and insurtech firms. The types and frequencies of crime exposures can vary significantly across these sub-sectors.
The variety of business models and operational structures within the fintech world means that crime risks can differ markedly from one fintech firm to another. For instance, a payments company might be more susceptible to electronic theft and social engineering, while a wealth tech firm might encounter different challenges. Additionally, how fintechs classify and report crime incidents can influence these statistics. Many crime-related events, especially those involving social engineering, might be reported under cyber policies rather than crime policies, potentially understating the true extent of crime exposures when looking solely at crime claim notifications.
The key takeaway here then is that fintechs should take care to understand their unique risks before determining their crime insurance needs. Particularly for growing firms, who often purchase insurance limits based largely on the contractual requirements imposed on them by investors and business partners, do not assume that the minimum amount is enough. Moreover, 8% of gross notifications are nothing to sneeze at – a good reminder that no matter how innovative your platform or business model, no firm is immune to financial crime.
But does the 8% notification to crime policies really tell us the whole story? As noted above, the lower incidence proportionally of reported claims to crime policies may be partially attributable to how insurers cover modern financial crime risks.
Though beyond the scope of this article, the use of computers to perpetrate financial fraud has been a growing problem since at least the 1980’s. With the ever-growing sophistication of global computer networks, crime risks increasingly blur the lines between different insurance products. This reality becomes clear when we break down the single largest source of fintech claims – “external fraud [2].”
Within this broad category of loss, we see several events for which crime policies are simply not intended to provide coverage. Data breaches, for example, though quite literally criminal acts, are typically covered under cyber policies. Others, such as theft of money, generally fit squarely within the coverage grants of most crime policies.
However, some events, such as social engineering, might straddle insurance policies, depending on the facts presented. Take, for example, an all-too-common social engineering claim scenario where an employee is tricked into downloading malware to a firm’s network, providing wrongdoers with backdoor access. Using that access, wrongdoers can transfer money out of a firm’s bank accounts to their own. Such a scenario might present both cyber insurance loss (breach investigation and associated remedial costs) and crime (theft of money).
On the whole then, the 8% notification figure likely underrepresents the number of financial fraud claims being made by fintechs because the risk is no longer covered purely by crime policies. WTW’s Cyber Crime Taskforce has written extensively about the coverage challenges presented by modern fraud scenarios, but it is interesting to see it play out in reported claim data as well.
The main takeaway here is that modern financial fraud cannot be covered simply by purchasing a crime policy. There is certainly a temptation, particularly when contractual covenants are involved, to purchase what is required and to move on. But the reality is that proper coverage requires specialized expertise and a technical understanding of policy language and coordination. While this might seem tedious, the alternative might be having to tell leadership, business partners, or customers that the insurance cover you thought you had wasn’t there when you need it.
Lost in the ongoing wave of social engineering claims plaguing the entire financial services sector is the reality that internal threats continue to be the main severity driver of fraud claims.
Internal theft and fraud | External theft and fraud | |
---|---|---|
Average cost | $1.9 million | $1.2 million |
Median cost | $444,000 | $109,000 |
Largest single loss | $110 million | $108 million |
Average duration | 586 days | 70 days |
Average discover time | 72 days | 31 days |
Most frequent event | Misappropriation | Theft/burglary |
Most severe event (average) | Computer fraud | Computer fraud |
However, the claims data[3] indicate that fintechs report notably low levels of internal fraud — less than 6% of reported claims — compared to traditional financial institutions, where internal fraud accounts for 31% of reported fraud claims and 42% of insurer payments. This lower incidence may be attributed to several factors:
While these factors may contribute to fewer reported claims, internal fraud remains a major risk that cannot be ignored. For growing firms, the absence of sophisticated controls or limited experience in enforcing them can create vulnerabilities. As these companies scale, implementing robust internal controls and fostering a culture of accountability becomes essential to safeguard against potential insider threats. Ensuring that fraud detection measures evolve alongside the firm’s growth is key to mitigating this persistent risk.
Incredibly, and despite the data, many fintech firms treat crime risk as a secondary or even tertiary concern. This is often due to a mistaken belief that their platform is somehow unique enough to prevent fraud, or worse, that because they’ve never experienced a loss before, that’s proof enough of the strength of their controls. Both conclusions are obviously incorrect, and the data supports this.
Recognizing the risk for what it is, some considerations for fintech firms to properly manage their crime risks include:
By focusing on these areas, fintechs can enhance their resilience against financial crimes and safeguard their operations and client trust in an increasingly complex landscape.
Crime is a critical risk for fintechs, manifesting differently than in traditional financial institutions. While the overall number of reported claims might be lower, that does not mean that the risk is any lower. Rather, the digital-first nature of fintechs means that actually, from an insurance coverage perspective, fintech claims often straddle insurance products, requiring a nuanced understanding of coverage to properly address the risk.
The industry's diversity means that understanding specific exposures is essential. By recognizing how modern threats like social engineering challenge traditional insurance categorizations, fintech firms can take steps to ensure they are adequately protected.