Talk about “physician heal thyself!” Here are two recent examples of employee theft in the insurance industry. The first involves a small agency, fewer than 10 employees, in Pittsburgh, PA. It lost $432,000 to an embezzling employee.1 The embezzler’s scheme was simple; she wrote checks to herself. She could only co-sign checks, but that didn’t stop her—she just forged the other signature. Since she was the one who did the bank account reconciliations, she was able to destroy the checks she wrote to herself and balance the books by recording fictitious expenses. This scheme went on for almost ten years.

But isn’t the bank responsible when it pays a check with a forged signature—after all they have the authorized signatures on file? Yes the bank is responsible, BUT the depositor must notify the bank within a prescribed period of time. In the case of multiple forgeries by the same person, that time period to give notice may be as short as 30 days. The time limits are governed by the UCC (Uniform Commercial Code) and the deposit agreement between the bank and the depositor. What’s more, even when the depositor gives timely notice the bank can argue that the loss was caused by the depositor’s negligence, which can release the bank from any obligation to indemnify the depositor.3 Obviously this agency will be able to recoup from the bank, at most, only a tiny portion of its loss.

Loss control 101 for employee dishonesty dictates that someone who can sign or deposit checks should not be the one to reconcile the check accounts. That’s a part of the recommendation to separate duties to prevent employee fraud. (Studies show that 70 percent of all employee dishonesty losses involve only one employee.4) In a small firm where there aren’t enough employees to separate duties, the bank statements should be sent to the owner’s home for review. The checks made payable to the employee would probably have jumped out—it would be even better if the owner did the reconciliation him or herself. The second insurance-industry embezzlement scheme involved ACORD. ACORD forms are pervasive in the insurance industry, but ACORD, headquartered in Pearl River (Rockland County) NY, is not a large company; it only has 55 employees. Nevertheless it lost more than $1,000,000 to an employee who apparently used the tried-and-true method of approving bills for fictitious purchases with the payments sent to a firm that was his alter ego.5 What brings it up to date is that the fictitious purchases were for computer network equipment such as routers, servers, etc.

Loss control to avoid losses due to fictitious purchases is more complex. The goal is to avoid unauthorized or unsupported disbursements. Some possible steps are:

• More than one knowledgeable person should be involved in every transaction.
• Support data (purchase order, shipping receipt, etc.) should accompany every request for payment
• Payment should be approved by someone other than the person who initiated the purchase.
• Printed checks should be compared to support data by someone not involved in creating the disbursement request.
• Invoices should be stamped “paid” to prevent their being submitted again for duplicate payment.
• For larger firms, a “positive pay” system can be set up with their banks. (Positive pay means that the bank is provided with a list of check numbers and amounts. The bank only pays checks that agree with the list. Software is available to automate this process.)6

Insurance Coverage is Available
Insurance is the backstop against the thieves who will foil even the best loss control program. The good news is that employee theft and dishonesty insurance is one of the few areas where it’s possible to “insure a burning building”—as long as the insured doesn’t know about the fire. This can be done by writing employee theft insurance on a discovery basis. A discover any employee theft loss first discovered during the policy period no matter when it occurred.

Discovery basis coverage has always been provided for financial institutions (banks, insurance companies, stock brokers, etc.) The loss sustained form, which was the predominant form written for non-financial institutions, provides coverage for prior acts, but only to the extent that the insured had continuous prior coverage. The discovery form, which is now available for commercial, non-profit and governmental entities, provides coverage for newly discovered losses whether or not the insured had prior employee theft coverage. The ISO Commercial Crime insurance program includes discovery basis forms. (See, for example, ISO form CR 00 22 05 06.)

This coverage form is available from the crime insurance departments of leading insurance companies and usually without any retroactive date endorsement. When we requested it, a broker was able to obtain discovery basis coverage with no retro date for one of my consulting clients despite the fact that the client hadn’t carried any employee theft coverage for several years.

What Coverage Limit Should an Insured Buy?

As the insurance agency in Pittsburgh learned to its regret, fidelity losses can go on for many years so that even a small business can sustain a surprisingly large loss. Another example is the CFO of two Hollywood hotels who siphoned $11.4 million from his employers over an eight year period.7

The New York School Board Association recommends 10% of budget as a suggested limit for schools and that’s a place to start, although higher limits are advisable for many organizations. Try to involve the firm’s accountant or CFO in a discussion of the worst-case scenario for an embezzlement loss. Actual cases, such as these, are a good way to start the discussion. Accountants should also be able to recommend strong loss control measures.

Broadening Coverage
Price should not be the sole deciding factor when purchasing employee theft/dishonesty coverage or any other insurance, for that matter. Some insurance companies offer broader coverage or will provide it if you ask for it. Areas of broader coverage include:

• Expanded definition of “employee“ to encompass non-compensated directors, officers, trustees, volunteers, students or interns. (This is particularly important for condo and coop associations, non-profits, schools, etc. that often have key functions performed by volunteers.)
• Sublimit to cover the cost of preparing and proving the claim.
• Broadened policy territory definition to provide coverage anywhere in the world.
• Insured’s ERISA plans added as named insureds to avoid the need for • Waiver of cancellation-of-coverage for employees guilty of prior dishonest acts, if the amount taken by the employee was $5,000 or less.
• "Faithful Performance” coverage for governmental entities
• Elimination of the treasurer/tax-collector exclusion in policies covering governmental entities I n most policies the definition of “employee” does not include agents, consultants and others performing services for the insured as non-employees. Frequently nonemployees have important responsibilities that can create large exposures. For example the treasurer for one organization with over $1 million on deposit in various accounts was an independent contractor, not an employee. Such non-employees can often be added to the coverage using an “agent’s rider.” Ask your insureds if there are nonemployees with the opportunity to embezzle the insureds money or other property when discussing employee theft coverage.

Check Your Coverage—Then Tell Your Insureds
The first step is to check your firm’s coverage— you’re not immune from employee theft losses unless you’re a one-person in the firm. Do you have strong employee dishonesty loss control procedures? Do you have adequate limits? Once your house is in order, tell your insureds about their need for employee theft coverage. No firm with employees is exempt from employee theft losses. Loss control is the first line of defense, but high limits of employee theft coverage is a vital backstop.

1.  This does not include the time-value of money, i.e. the concept that a dollar today is not worth as much as a dollar ten years ago. At 6% interest, if the thefts were spread evenly over the period, the loss would increase by more than $125,000. The loss of imputed interest cannot be covered by insurance.
2. “Pittsburgh Insurance Agency Employee Steals $432K“ http://www.insurancejournal.com/news/east/2 009/11/25/105584.htm (accessed 11/25/09)
3. For more information about a bank’s obligations see: the Treasury Department’s Controller of the Currency website: http://www.helpwithmybank.gov/faqs/banking_ fraud.html#drop02
4. Ken Al-Imam, CPA “Internal Control & Fraud Risks for Entities with Limited Segregation of Duties“ http://www.csmfo.org/index.cfm?fuseaction=De tail&CID=1569&NavID=170 (accessed 11/27/09)
5. Steve Lieberman and Jenna Carlesso “Employee, wife accused of stealing $1M“ The Journal News, Genatt Co. Inc., May 16, 2008
6. Treasury Software Corp., Richmond, VA “What is Positive Pay?“ http://www.treasurysoftware.com/positive-pay- 2.html (accessed 11/28/09)
7. Troy Anderson “Suspect Accused Of Fraud At 2 Hotels“ Daily News Los Angeles, CA 3/27/03

 Jerry Trupin, CPCU, CLU, ChFC, is a partner in Trupin Insurance Services located in Briarcliff Manor, NY. He provides property/casualty insurance consulting advice to commercial, non-profit and governmental entities. He is, in effect, an outsourced risk manager. Jerry has been an expert witness in numerous cases involving insurance policy coverage disputes and has taught many CPCU and IIA courses.

Jerry has spoken across the country on insurance topics and is the co-author of over ten insurance texts used in CPCU and IIA programs including Commercial Property Risk Management and Insurance and Commercial Liability Management and Insurance. He regularly contributes articles to CPCU Interest Group Newsletters, the Insurance Advocate, and other publications. He can be reached at cpcuwest@aol.com.

Thanks to Jerry Trupin for this article and to the CPCU Society’s Risk Management Interest Group newsletter for letting us reprint it. Jerome Trupin