Can we attach a HELOC to a customer’s pre-existing demand deposit account so that the customer can use their debit card to access the HELOC funds?

Yes, we believe your bank may attach a home equity line of credit (HELOC) to a deposit account to enable your customers to access HELOC funds with a debit card. We are not aware of any Illinois or federal law that would prohibit this practice.

For example, Regulation E recognizes that a home equity line of credit may be linked to a deposit account to cover the payment of overdrafts on the account and does not include such transfers in the definition of an “overdraft service.”

However, we note that the practice of attaching a HELOC to a deposit account may introduce new risks to your customers if your online banking services allow them to make transfers from the HELOC to their deposit accounts. If a customer’s online banking credentials are compromised, fraudsters may be able to transfer advances from the HELOC into the customer’s deposit account and then move the funds to other accounts by wire transfer or other means.

For example, in one case the United States District Court for the Northern District of Illinois permitted Indiana bank customers to pursue a claim that their bank acted negligently because the online banking system used only single-factor authentication for these high-risk transactions, rather than the multi-factor authentication recommended in FFIEC guidance. While other courts have refused to find banks liable in similar situations (and have argued that the decision was wrongly decided), this case highlights the need to adopt robust security measures to protect customers when attaching HELOC and other lines of credit to deposit accounts and allowing transfers through online banking.

For resources related to our guidance, please see:

  • Illinois Financial Services Development Act, 205 ILCS 675/4 (“Notwithstanding the provisions of any other laws in connection with revolving credit plans, any financial institution may, subject to the other provisions of this Section 4 offer and extend credit under a revolving credit plan to a borrower and in connection therewith may . . . provide in the agreement governing the revolving credit plan for such other terms and conditions as the financial institution and borrower may agree upon from time to time. . . .”)
     
  • Regulation E, 12 CFR 1005.17(a)(1) (“For purposes of this section, the term ‘overdraft service’ means a service under which a financial institution assesses a fee or charge on a consumer's account held by the institution for paying a transaction (including a check or other item) when the consumer has insufficient or unavailable funds in the account. The term ‘overdraft service’ does not include any payment of overdrafts pursuant to: . . . A line of credit subject to Regulation Z (12 CFR part 1026), including transfers from a credit card account, home equity line of credit, or overdraft line of credit; . . .”)
     
  • FFIEC Guidance, Authentication in an Internet Banking Environment (October 12, 2005) (“The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. . . .”)
     
  • Shames-Yeakel v. Citizens Financial Bank, 677 F.Supp.2d 994, 1008–1009 (N.D. Ill. 2009) (“If this duty not to disclose customer information is to have any weight in the age of online banking, then banks must certainly employ sufficient security measures to protect their customers' online accounts. . . . In light of Citizens’ apparent delay in complying with FFIEC security standards, a reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs’ account against fraudulent access.”)
     
  • USAA Fed. Sav. Bank v. PLS Fin. Servs., Inc., 260 F.Supp.3d 965, 970 (N.D. Ill. 2017) (“Shames–Yeakel applied Indiana law, and USAA has provided no cases suggesting that a similar duty exists under Illinois law. . . . Therefore, because Illinois does not recognize a common law duty to safeguard personal information, USAA cannot establish its claim for negligence against PLS and so the Court dismisses that claim with prejudice.”)
     
  • Pisciotta v. Old National Bancorp, 499 F.3d 629, 640 (7th Cir. 2007) (In contrast with the 2009 case above, the 7th Circuit Appellate Court held in 2007 that a bank could not be held liable to its customers due to a data breach of its online banking services: “In sum, all of the interpretive tools of which we routinely make use in our attempt to determine the content of state law point us to the conclusion that the Supreme Court of Indiana would not allow the plaintiffs’ claim to proceed.”)
     
  • In re Anthem, Inc. Data Breach Litigation, 2016 WL 3029783 at * 41 (N.D. Cal., May 27, 2016) (“ . . . In Shames-Yeakel, the district court stated that ‘if th[e] duty not to disclose customer information is to have any weight in the age of online banking, then banks must certainly employ sufficient security measures to protect their customers’ online accounts.’ Id. This holding, however, was problematic in two ways. . . .”)