Crime / social engineering fraud
What this clause says
The Association shall maintain crime coverage insuring against loss of Association funds, and in addition to the employee dishonesty insuring agreement shall carry a social engineering fraud and fraudulent instruction endorsement covering loss resulting from the transfer of funds in reliance on a fraudulent instruction that purports to come from an officer, director, employee, managing agent, or vendor, together with funds transfer fraud coverage for loss resulting from a fraudulent instruction sent to a financial institution directing the transfer of Association funds, each subject to the sublimit stated in the declarations and to any callback or out-of-band verification condition required by the policy.
What this means in plain English
A community association's crime policy, sometimes called the fidelity or crime bond, is built around one core insuring agreement: employee dishonesty, which pays when someone inside the association who handles the money steals it, whether a board treasurer, an employee, or the managing agent. That is the coverage the Fannie Mae Selling Guide (section B7-4-02, Fidelity/Crime Insurance Requirements for Project Developments) is describing when it requires a fidelity or crime bond sized to three months of assessments plus reserves. The exposure that has grown fastest, though, is not an insider stealing money, it is an outside impostor tricking an authorized person into sending it voluntarily. That is social engineering fraud, and its close cousin funds transfer fraud, and neither is covered by the base employee-dishonesty insuring agreement. The distinction that decides whether a claim is paid is who moved the money and why: employee dishonesty responds when a trusted insider takes funds without authorization, while social engineering and funds transfer fraud respond when an authorized person is deceived into releasing funds through a legitimate-looking instruction. There is no statute that requires this specific coverage; the fidelity mandate that lenders and state law impose speaks to employee dishonesty, so social engineering and funds transfer fraud are a separate, best-practice add-on the association has to ask for by name. The coverage is added either as an endorsement to the crime policy or through a cyber policy, and on either form it is almost always a carved-down sublimit rather than the full limit.
What it means for an HOA board
This is the coverage gap most likely to turn into a real loss for a modern association, and it is the one boards most often assume is already handled by the crime bond. The classic loss is a wire-fraud attack on a reserve transfer: a spoofed email that appears to come from a board officer, the manager, or a familiar vendor instructs the person who moves money to wire a reserve or operating balance to a new account, or to update a vendor's banking details before the next draw. When the manager or treasurer sends that wire, the money left through a legitimate instruction from an authorized person, so the employee-dishonesty insuring agreement on the crime bond does not respond. Nothing was stolen by an insider; an insider was fooled. Associations are an unusually good target because they move large lump sums on a predictable schedule, reserve draws for a roof or paving project can run well into six or seven figures, and the approval chain is often a single volunteer treasurer and an off-site manager who communicate mostly by email. Three things to confirm. First, that a social engineering fraud and funds transfer fraud endorsement actually exists, by name, on either the crime policy or a cyber policy, and is not assumed to be inside the fidelity bond. Second, the sublimit, which carriers routinely cut well below the headline crime or cyber limit and which commonly lands in the $25,000 to $250,000 range against policies written at $1M to $3M, so a large reserve wire can outrun a thin sublimit. Third, the verification warranty: most carriers now gate this coverage behind a condition that a callback to a previously known phone number, or another out-of-band confirmation, be completed before any wire or change of banking instructions is released, and a loss where that step was skipped can be denied even though the endorsement is in force. Pair the coverage with the control the policy is really asking for, a mandatory verified callback before any transfer or banking change, and confirm the management company carries its own matching coverage, since the manager usually initiates the transfers.
Program notes
The specialty community-association markets add social engineering and funds transfer fraud either by endorsement to the crime policy or through a companion cyber placement, and the premium is small relative to the reserve balances at risk. The number to scrutinize is the sublimit, not the presence of the endorsement: a policy can show a healthy crime or cyber limit while the social engineering and funds transfer fraud sublimit is a token figure that would not cover a single reserve wire, which is close to no protection on the loss an association is most likely to actually suffer. The other recurring trap is the verification warranty, since a carrier that has attached a callback condition can decline an otherwise covered loss when the transfer went out without the confirming call, so the coverage and the association's own wire-verification procedure have to be bought and enforced together. Citation basis: no controlling statute or Selling Guide section sets a social engineering fraud requirement; the Fannie Mae B7-4-02 fidelity mandate reaches employee dishonesty only, and this add-on rests on qualitative crime and cyber underwriting practice and general community-association guidance (for example from the Community Associations Institute) rather than a regulatory floor. Because it maps to no single program input the Policy Checker collects, this clause is informational and carries no automated evaluation.
How this evaluates
The Policy Checker applies these rules in order; the first match wins.
See this in your policy
Check this clause against your master policy.
Run the Policy CheckerRelated clauses
Common questions about this clause
- Does an HOA need cyber insurance for wire fraud?
- How much fidelity bond coverage does an HOA need?
- Does an HOA need cyber insurance and how does it differ from crime coverage?
- How much umbrella or excess liability does an HOA need?
- What is the difference between a fidelity bond and crime insurance for an HOA?