Wire fraud targeting real estate closings is now a measured, documented, and persistent threat. The FBI's Internet Crime Complaint Center logged over 12,000 real estate fraud complaints and roughly $275 million in reported losses in a single recent year (FBI IC3 2025 annual report). The same agency calls business email compromise, the engine behind most wire fraud, one of the "most financially damaging online crimes" facing businesses that move funds by instruction (FBI, Business Email Compromise).

The natural reflex is to look for a tool that stops the fraud. The market is full of them, and most lead with the promise that they do. This article takes a different position. It argues that the control an escrow office can actually rely on is not a fraud detector. It is a layer that records what the office reviewed, against what source, by whom, and when, before money leaves the account. The office decides. Veto records the review.

This is the control-layer doctrine. It does not promise to prevent fraud. It promises that the file can prove what the office checked before the wire was released, on the day of closing rather than a year later under oath.

What wire fraud in an escrow office actually looks like

Wire fraud in this industry is almost always a business email compromise event. A fraudster compromises or spoofs an email account belonging to a party, agent, lender, or the escrow office itself. Then they send payment instructions, or a revision to existing instructions, that route funds to an account the fraudster controls. The instruction looks legitimate because it arrives on a thread the office already trusts.

The FBI has tracked this pattern for over a decade. Its public service announcement on business email compromise documented more than 305,000 domestic and international incidents and over $55 billion in exposed losses between October 2013 and December 2023 (FBI IC3 PSA I-091124-PSA). The agency's central prevention recommendation is pointed and narrow: use a "secondary channel" to verify any request that changes account information. The strength of the secondary channel is what determines whether the verification holds.

This matters because the reported cases show offices that did verify, and still lost. In Mago v. Arizona Escrow & Financial Corp., the escrow company noticed the payee name did not match, emailed to ask about it, and accepted the reply from the compromised thread. The verification rode the same channel the fraud was riding. For a deeper walkthrough of those cases, see Before buyer funds move, build the record.

The lesson is not that verification fails. The lesson is that verification is only as strong as the source it runs against, and unless the file captures which source was used and what it could and could not prove, the office cannot later show what it actually checked.

What an automated control layer is

An automated control layer is a system that sits between the office's review and the release of funds. It does not decide whether the instruction is correct. It records, in a timestamped artifact, what the office reviewed, what source each value was checked against, what stayed open, who signed off, and what the office decided to do about the open items.

The distinction between a control layer and a fraud prevention tool is the whole argument. A fraud prevention tool claims to stop the bad instruction from going out. A control layer makes no such claim. It makes a different and more defensible one: that the file carries a current record of the review that supported the release, built from the evidence in front of the office at the moment money moved.

That record is the Review Record. It is the artifact an underwriter, examiner, or E&O carrier eventually asks for when they want to know what the office did. The control layer is what makes sure that record exists, is current, and is retained.

The control layer records the review before money moves

The timing is the control. A review record built after a loss is a reconstruction. A review record built before the wire is released, and timestamped at the moment of sign-off, is the office's own evidence of what it relied on.

This is why the control layer operates as a gate, not a log. The office reviews the instruction, checks each covered value against a stated source, notes what is open, and signs off. The record is saved with a timestamp and a named reviewer. If a covered value changes after sign-off, the record goes stale and a fresh review or a named exception is required before release. The mechanics of staleness and re-review are laid out in Managing stale records and material changes in closing files.

The gate does not decide for the office. The office may proceed with an open item if the approver signs off and the reason is logged. What the gate removes is the option to proceed silently, with no record of what was checked or what was left open. That silence is the pattern that creates the most exposure when a file is later examined.

Why the office is the release authority

Every framework that governs escrow funds places the release authority with the office, not with a vendor. A DFPI-licensed independent escrow company must strictly and faithfully perform the parties' written instructions, and when instructions conflict, the office is expected to clarify before it closes (DFPI consumer information on escrow law). ALTA's wire fraud guidance treats the title and settlement company as the party responsible for verification procedures and consumer protection (ALTA Wire Fraud resources).

This is where vendor marketing and operational reality diverge. Tools that confirm bank accounts, authenticate payees, or encrypt instruction delivery produce evidence the office can review. But a passed check is not permission. The permission to release is an office state, created by policy, evidence, source limitations, and the judgment of the person who signs off. The control layer captures that state. It does not create it.

A layer that claimed to approve or release funds would overstate what any system can do for an escrow office. A layer that honestly records what was checked, what it proved, and what it did not prove is the artifact that holds up when the file is examined. The honesty is the utility. For how account-level checks fit into this picture without becoming approval, see Account checks are evidence, not approval.

What happens when the control layer is missing

When the file carries no review record, the office cannot answer the questions a loss surfaces. The question "what did the office check before it released funds?" becomes a reconstruction exercise that runs on memory, email threads, and whatever the production system logged, which is usually the fact of disbursement, not the reasoning behind it.

The consequences fall into three categories.

Audit exposure. The office cannot produce evidence of its review process. ALTA Best Practices Pillar 2 and Pillar 3 expect documented controls over funds release and wire verification (ALTA Best Practices). An examiner who asks for the file and finds no review record has nothing to evaluate.

Liability exposure. When a loss occurs, courts and claimants reconstruct the file. As the reported cases show, offices that confirmed instructions but could not prove they resolved the open item against an independent source were held responsible for the loss. The record is what separates a defensible file from an indefensible one.

E&O exposure. Errors and omissions carriers ask, during application and renewal, whether the office has documented wire verification procedures and can produce evidence of what was reviewed before a loss. A file with no review record is harder to defend and may affect coverage positioning.

How exceptions are handled in the control layer

Not every release is clean. Sometimes the office proceeds with an open item: a payoff figure that is verbal but not yet documented, a callback that did not connect, an instruction that arrived late and the parties cannot wait. The control layer does not forbid these. It requires that they be named.

An exception is a documented departure from standard procedure. It records who approved it, why, and when. The exception appears on the file alongside the review record. It is not a silent bypass. A silent bypass is the absence of a record where one should exist, and it is the pattern that creates the most exposure. The distinction is what defines a good file: one where every covered instruction has a current review record or a named exception, retained and available for review.

Mapping the control layer to ALTA Best Practices and DFPI expectations

Three external frameworks converge on the same expectation: the office should be able to prove what it reviewed before it released funds. The table below maps how a control layer that produces a current review record on every covered instruction addresses each framework.

| Framework | What it expects of the office | How a control layer addresses it | |---|---|---| | ALTA Best Practices Pillar 2 (Escrow Trust Accounting) | Written procedures for disbursement, dual control on wires, documented reconciliation of escrow trust accounts (ALTA Best Practices) | The control layer produces the file-level artifact that a covered instruction was reviewed before release. It captures who reviewed, what was checked, and what the office decided, which is the documentation Pillar 2 expects on each file. | | ALTA Best Practices Pillar 3 (Privacy and Information Security) | Procedures to verify wire instructions and protect nonpublic personal information tied to wires (ALTA Best Practices) | The control layer shows the verification steps taken, their results, and their limitations. It documents that the office applied its wire verification procedure, which is the evidence Pillar 3 expects. | | ALTA Wire Fraud resources | Verification procedures, consumer education, staff training, and an incident response plan (ALTA Wire Fraud) | The control layer is the operational record that verification procedures were applied on the file. ALTA's own Outgoing Wire Preparation Checklist and Rapid Response Plan assume a documented trail, which the control layer produces. | | DFPI independent escrow duty | Strict and faithful performance of the parties' written instructions, with clarification when instructions conflict (DFPI consumer information) | The control layer shows the office identified the instruction, checked it against what was already on file, and either resolved the conflict or carried a named exception. That is the documented performance of the duty. |

The convergence is the point. ALTA and DFPI are not asking the office to prevent fraud. They are asking the office to show what it reviewed and why it proceeded. A control layer that produces a current review record on every covered instruction is the artifact that answers both.

How this differs from fraud prevention tools

The wire fraud prevention market is crowded, and most vendors lead with a claim Veto deliberately avoids. CertifID markets its platform as backing every transaction with up to $5 million in direct insurance per file (CertifID wire fraud prevention). Closinglock leads with "fraud prevention" and "secure wire instructions" as its value proposition (Closinglock). Qualia Shield and FundingShield occupy similar ground, each framing their product as a layer that stops the fraud from completing.

Those tools do useful work. They verify identities, confirm bank accounts, encrypt instruction delivery, and in some cases insure the transaction. The evidence they produce can feed directly into the office's review. What they do not produce is the office's own record of what it decided to do with that evidence, especially when something did not match and the office proceeded anyway.

That is the gap a control layer fills. It records the decision the office made at the moment of release, including the decision to override an open item, who authorized the override, and why. The override at release is the one record none of the prevention tools capture, because their job is to stop the bad instruction, not to document the office's judgment when the office decides to proceed. For the foundational record this layer produces, see Why every covered instruction requires a current review record.

The boundary between recording and deciding

This is where the doctrine draws its line, and it is important to state it plainly.

Veto records the review. It does not approve, authorize, guarantee, insure, verify, release funds, validate identities, confirm bank accounts, authenticate payees, or make wires safe to send. The escrow office remains the release authority.

The office decides. Veto records the review.

That boundary is what makes the control layer useful. The record is not a stamp of correctness. It is a timestamped account of what the office reviewed, what the evidence showed, what stayed open, and what the office decided to do about it. It is valuable precisely because it does not pretend to be more than it is.

Run a live-file control test

The way to see whether this doctrine belongs in your file is to run it on one real disbursement, before the next one closes.

Take a covered instruction from a recent or pending file. Build the review record: what changed, what was checked and against what source, what stayed open, who reviewed it, and what the office decided. Then ask whether that record would answer the five questions behind every disbursement dispute if the file were reconstructed six months from now.

If the record is already there, the doctrine is already operating. If it is not, the file test is where to start. The office's own evidence, on one real file, is the test that matters. Run a live-file control test and see what the file can prove today.

Frequently asked questions about wire fraud controls in escrow offices

### What is an automated control layer in an escrow office?

An automated control layer is a system that records what the office reviewed before funds were released. It captures the covered instruction, the source each value was checked against, what stayed open, who signed off, and what the office decided. It does not decide whether the instruction is correct. It produces the file-ready record that the office applied its own procedures before money moved.

### Does a control layer prevent wire fraud?

No, and any tool that claims it does should be examined closely. A control layer does not detect, block, or prevent fraud. It records the office's review so the file can prove, on the day of closing, what was checked and against what source. Prevention is a vendor claim this article deliberately avoids. The control layer's value is that it makes the office's review reconstructable and defensible, not that it stops the bad instruction from arriving.

### How does a control layer differ from a wire fraud prevention tool?

Fraud prevention tools verify identities, confirm bank accounts, encrypt instruction delivery, and sometimes insure the transaction. They produce evidence the office can review. A control layer consumes that evidence and records what the office decided to do with it, including the decision to proceed when something did not match. The override at release is the one record prevention tools do not capture, because their job is to stop the bad instruction, not to document the office's judgment when the office decides to go forward.

### Does ALTA Best Practices require a control layer?

ALTA Best Practices Pillar 2 and Pillar 3 expect documented procedures for disbursement, wire verification, and information security (ALTA Best Practices). They do not mandate a specific tool. They ask the office to show its controls and document what it relied on. A control layer that produces a review record on every covered instruction is one concrete way to satisfy that expectation, because it gives the office a file-level artifact an examiner can evaluate.

### What should the office record before releasing a wire?

The office should record the covered instruction, what changed from what was already on file, what source each value was checked against, what the check could and could not prove, what stayed open, who reviewed it, and what the office decided. If the office proceeded with an open item, the exception should be named with the approver, the reason, and the timestamp. The record is timestamped at sign-off and retained for the life of the file.

### Can the office proceed if a verification check comes back with an open item?

Yes, if the office's own policy allows it and the approver signs off. The control layer does not forbid exceptions. It requires that they be named. A named exception records who authorized release despite the open item and why. A silent bypass, where the office proceeds with no record at all, is the pattern that creates the most exposure. The doctrine targets the silence, not the judgment.

Claim boundary

This article describes a control doctrine for escrow offices. It is not legal advice and does not classify any office as compliant or noncompliant with ALTA Best Practices, DFPI requirements, or E&O carrier expectations. Veto does not verify, approve, certify, guarantee, or insure any instruction or wire. Veto records the review, marks records stale, blocks releases on stale records, and logs the audit trail. The office decides. Veto records the review.