[hga]

Based on some events of this sort in my area, as I understand it organizations that get that sort of direct access and control over their bank accounts do so under a strict set of conditions the bank lays down. I.e. an isolated computer that no one's reading email on, which prevents the sort of spear plishing detailed in Haysite Reinforced Plastics experience with PNC Bank.

After such an event the bank will investigate, and if the org violated their conditions and that led to the loss, it's on the org. And I suspect org insurance policies have "we don't make you whole if you're an idiot" provisions.

Or at least that's how it went down here when e.g. a school district was sloppy and lost 6 figures of their bank balance.