Lender FAQs: Check Fraud, Bond Coverage, and Positive Pay

Check fraud is on the rise, with organized fraud rings targeting mailed checks and exploiting gaps in customer monitoring. Many financial institutions are implementing indemnification agreements to address this exposure, and it is becoming a standard best practice for Treasury Management departments. The following Q&A addresses the coverage and operational questions banks and credit unions are asking most frequently.

Note that this is a general framework for informed discussion, not legal advice. Your bond carrier and outside counsel should be consulted before finalizing any policy or agreement.

Check Fraud Coverage FAQs for Financial Institutions

If a business customer refuses Positive Pay and the bank ultimately loses a fraud dispute in court, is there likely Bond coverage?

Generally, yes. The Financial Institution Bond typically covers losses where the bank has a legal obligation to pay. If a court ruled against the bank, that legal obligation is established, which is a strong foundation for a coverage claim. However, insurers will still scrutinize how that obligation arose and whether the bank’s own actions contributed to the loss in ways that implicate policy exclusions. A concrete coverage determination requires the actual facts of a real case — neither your bond advisor nor a claims attorney can affirm coverage in the abstract.

---

Does an indemnification agreement help or hurt coverage when a customer refuses Positive Pay?

A properly drafted indemnification agreement is generally a positive from a coverage standpoint, not a negative. It demonstrates the bank acted prudently by attempting to mitigate risk and shift liability for a known exposure back to the party creating it — the client who refused Positive Pay.

The risk is in poor drafting. If the indemnification agreement is vague, overly broad, or could be interpreted as the bank voluntarily assuming liability beyond what it would otherwise have, some carriers could argue the loss arose from a contractually assumed obligation. This is a common Bond exclusion, and it is a critical distinction: courts imposing liability versus the bank contractually accepting it are treated very differently by insurers.

Regulatory optics matter as well. If examiners view an indemnification program as a systematic way of permitting unsafe practices for fee income, that creates a separate set of problems independent of insurance. Fee dispute claims are not covered — all Bond policies include that exclusion.

Before rolling out any indemnification program, ask your bond carrier to review the agreement language. The goal is language that protects the bank without inadvertently triggering the voluntary assumption of liability exclusion.

---

---

Can a bank make Positive Pay mandatory for commercial customers?

Yes, and many do. Banks can impose this requirement through their deposit account agreements. Under UCC Article 4, banks and customers can modify certain default rules by agreement, which gives institutions contractual flexibility to set account terms. Since Positive Pay is a fraud prevention tool that protects both the bank and the customer, courts and regulators generally view mandatory enrollment favorably. The OCC and FDIC have encouraged Positive Pay adoption as sound fraud risk management practice — examiners tend to view it positively.

In practice, mandatory enrollment is more common for business accounts than consumer accounts. The operational burden of uploading check issue files and reviewing exceptions is better suited to businesses. For consumers, the friction would likely drive customers away.

Some banks apply a tiered approach, requiring enrollment following a fraud incident as a remediation condition. A “three strikes” rule — automatically enrolling customers after three reimbursed bad checks — is possible, but three check losses could be significant depending on account activity. That approach is worth weighing carefully before implementing.

For large corporate clients, Positive Pay and its ACH equivalent — ACH debit blocks and filters — are often bundled into treasury management agreements and framed as a baseline fraud protection requirement rather than an optional add-on.

---

A customer’s mailed check was stolen, the payee was altered, and the check fraud wasn’t discovered for 90 days. Is there Bond coverage?

Coverage depends on the terms of the applicable deposit agreement and the enforceability of that agreement. The Bond only responds where the bank has a legal obligation to pay, which creates a direct dependency:

• Deposit agreement terms → customer’s reporting window → bank’s legal obligation → Bond coverage

If the deposit agreement gives the customer 60 days to report unauthorized transactions and the customer missed that window, the bank may have a defense against reimbursement. Without a legal obligation to pay, there is no Bond coverage trigger.

The 90-day discovery scenario is more nuanced. The customer’s argument would be that the alteration was so skillfully executed that even a reasonably diligent review would not have caught it within 60 days. Some courts have been sympathetic to this argument, particularly for consumers versus commercial customers, since consumer deposit agreements and UCC protections can differ from commercial account standards.

One thing worth flagging: some states have consumer protection statutes that can override or limit contractual reporting windows. Whether your current deposit agreement language would hold up as a defense in your jurisdiction is worth confirming with counsel before relying on it as grounds to deny reimbursement — because if the defense fails in court, the Bond coverage analysis changes.

---

What are the Bond coverage risks from how frontline staff communicate during a fraud incident?

This is arguably the higher-risk area operationally. Verbal commitments to clients can create a legal obligation independent of whether one would otherwise exist. If a banker tells a business client “don’t worry, we’ll take care of this,” that statement can be used to establish promissory estoppel or a separate contractual obligation — meaning the bank could find itself legally obligated to pay not because UCC or the account agreement required it, but because of what an employee said.

If the legal obligation was created by an unauthorized employee statement rather than by law or the account agreement, the carrier may deny the claim, arguing the loss arose from a voluntary and unauthorized assumption of liability.

The UCC framework is worth keeping in mind here. Under Articles 3 and 4, customer notification timelines — typically the one-year preclusion rule for unauthorized signatures and alterations — are powerful protections for the bank. Once a customer is past those windows, the bank generally has no legal obligation to make them whole, and without that obligation, there is likely no Bond coverage trigger.

Staff must be trained to say nothing that sounds like a commitment. The appropriate language during a fraud incident is: “We are investigating this matter and will be in touch once our review is complete.” Nothing more. No commitment to cover a loss should ever be made until legal obligation is confirmed, the Bond coverage position is understood, and counsel has been consulted.

---

Are there other Bond exclusions that apply in check fraud situations?

Two deserve specific attention.

The loss-caused-by-employee exclusion applies when bank staff fail to follow documented internal procedures. If the Bond application represents that employees verify maker signatures on checks — including HELOC checks and the bank’s own checks — and those procedures are not actually being followed, claims have been denied on that basis. Bond coverage is not errors and omissions coverage. If the application says controls are in place and they are not being followed, that discrepancy has resulted in denied claims.

The fee dispute exclusion applies universally. All Bond policies exclude losses arising from fee disputes, regardless of how the underlying fraud claim is framed.

---

What should a bank do when check fraud is discovered?

Report it to your insurer promptly. Do not settle with the customer before reporting. Do not admit fault. If the customer makes demands or threatens legal action, ask that those demands be put in writing — that documentation establishes evidence of a potential legal obligation and supports timely carrier notification. Once a covered claim is in play, the insurer must consent to any settlement. If the claim is not covered, the bank can act as it wishes — but if it is covered, that consent is required.

Early reporting matters even when the loss appears small or uncertain. A notice of circumstance preserves coverage rights without committing to a formal claim. If multiple customers are affected by the same fraud ring, those losses may be aggregatable into a single claim if a common nexus can be established — which has real implications for deductible management. Any pattern of fraud activity warrants a conversation with your bond advisor before the bank independently resolves individual matters, even if those amounts fall below the deductible.

---

HUB Financial Services exclusively supports financial institutions. We specialize in managing institutional and lending risks, creating process efficiency, maximizing net interest margins, and increasing non-interest income. With 1,500+ clients, our unique industry experience sets us apart, empowering banks, credit unions, mortgage servicers, finance companies and specialty lenders to thrive.

---