In an arbitral award issued in 2025, an arbitral tribunal of the Center for Conciliation, Arbitration and Amicable Composition of the Medellín Chamber of Commerce (hereinafter, the “Tribunal”) resolved a dispute between (i) a company, as policyholder, insured, and beneficiary under a fidelity and financial risks insurance policy; and (ii) the insurer that issued the insurance.
The dispute concerned whether losses arising from an identity impersonation fraud were covered under the policy or, alternatively, excluded due to deficiencies in the internal controls applied to wire transfers.
The Tribunal concluded that the losses were excluded and released the insurer from the obligation to pay the indemnity, based on the following considerations:
- Restrictive interpretation of the insurance contract
The insurance contract must be interpreted restrictively: coverages and exclusions shall be applied in accordance with the wording agreed upon and the parties’ mutual consent, without being extended to events or risks not expressly provided for under the insurance.
- Nature of fidelity and financial risks insurance
Fidelity and financial risks insurance is designed to protect the insured against pecuniary losses arising from dishonest or fraudulent acts committed by its employees, whether acting alone or in collusion with third parties.
Its purpose is to cover the risk that individuals in whom the company places its trust abuse their position to cause economic harm. However, the operation of this coverage is subject to the terms, limits, and exclusions agreed upon in the insurance: not every fraudulent act is automatically covered, but only those risks that are not expressly excluded under the insurance.
- Scope of extended forgery coverage
The extended forgery coverage indemnifies direct losses of money or securities when the insured acts based on instructions, communications, or notices that appear to originate from a legitimate representative of the company but have been forged or altered by a third party.
This coverage is intended for contemporary risks such as identity impersonation and electronic fraud, and it only applies where no express exclusions are triggered, such as the lack of adequate internal controls that may have facilitated the fraud.
- Dual control and segregation of duties exclusions
The insurance excluded coverage for losses arising from the lack of segregation of duties or dual control, understood as the absence of internal mechanisms preventing a single individual from initiating, authorizing, and executing transactions (including payments, fund transfers, and electronic wire transfers) without the intervention of another user with independent functions and access rights.
These requirements aim to minimize the risk of internal or external fraud, and if it is established that they were not effectively implemented in practice, the insurer may deny the claim.
- Importance of implementing internal manuals
The Tribunal emphasized that it is not sufficient for a company to merely have manuals, policies, or procedures providing for segregation of duties and dual control; such mechanisms must be effectively applied in day-to-day operations. The mere formal existence of controls is insufficient if, in practice, they can be bypassed or are not enforced.
After evaluating the evidence, the Tribunal concluded that the insured did not effectively implement the required dual control, rendering the exclusions applicable and releasing the insurer from the obligation to pay the indemnity.