IBA Compliance Connection

Your go to source for compliance!

May a customer use online banking to transfer from a HELOC or line of credit to the customer’s checking account?

by

admin

Yes, your bank may choose to permit customers to transfer line of credit or home equity line of credit (HELOC) disbursements into their checking or other deposit accounts using online banking. We are not aware of any Illinois or federal law that would prohibit or restrict this practice.

However, we note that this practice can introduce new risks into your online banking services. If a customer’s online banking credentials are compromised, fraudsters may be able to take advances from a line of credit, transfer the advances to the customer’s deposit account, and move the funds to other accounts by wire transfer or other means.

The United States District Court for the Northern District of Illinois permitted Indiana bank customers to pursue a claim that their bank acted negligently in a similar situation: a fraudster used the couple’s online banking credentials to take out a $26,500 HELOC advance and transfer the funds to a bank in Austria (which refused to return the funds). Because the bank’s online banking vendor used only single-factor authentication for these high-risk transactions, rather than the multi-factor authentication recommended in FFIEC guidance, the customers argued that their bank potentially failed its duty to protect their account. While other courts have refused to find banks liable in similar situations (and have argued that the decision was wrongly decided), this case highlights the need to adopt robust security measures to protect customers when linking HELOC and other lines of credit to deposit account through online banking.

For resources related to our guidance, please see:

  • Illinois Financial Services Development Act, 205 ILCS 675/4 (“Notwithstanding the provisions of any other laws in connection with revolving credit plans, any financial institution may, subject to the other provisions of this Section 4 offer and extend credit under a revolving credit plan to a borrower and in connection therewith may . . . provide in the agreement governing the revolving credit plan for such other terms and conditions as the financial institution and borrower may agree upon from time to time. . . .”)
  • Shames-Yeakel v. Citizens Financial Bank, 677 F.Supp.2d 994, 1009 (N.D. Ill. 2009) (“In light of Citizens’ apparent delay in complying with FFIEC security standards, a reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs’ account against fraudulent access.”)
  • FFIEC Guidance, Authentication in an Internet Banking Environment (October 12, 2005) (“The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. . . .”)
  • Pisciotta v. Old National Bancorp, 499 F.3d 629, 640 (7th Cir. 2007) (In contrast with the case above, the 7th Circuit Appellate Court held that a bank could not be held liable to its customers due to a data breach of its online banking services: “In sum, all of the interpretive tools of which we routinely make use in our attempt to determine the content of state law point us to the conclusion that the Supreme Court of Indiana would not allow the plaintiffs’ claim to proceed.”)
  • In re Anthem, Inc. Data Breach Litigation, 2016 WL 3029783 at * 41 (N.D. Cal., May 27, 2016) (“ . . . In Shames-Yeakel, the district court stated that ‘if th[e] duty not to disclose customer information is to have any weight in the age of online banking, then banks must certainly employ sufficient security measures to protect their customers’ online accounts.’ Id. This holding, however, was problematic in two ways. . . .”)