Seven Strategies for Preventing Costly HELOC Loan Fraud Exposures05.13.2019
Over the years, the industry has seen an increase in wire fraud involving funds disbursed from a home equity line of credit (HELOC) loan. The HELOC loan fraud exposures can involve various paths from which the bad guys attack and can result in losses upwards of $500,000.
To help manage these HELOC risks, each part of a loan program should be evaluated for potential weak points through which a fraudster can enter. This includes reviewing how HELOC funds are disbursed, how borrowers can obtain an available line of credit, and how HELOC loan payments can be made to the financial institution.
Fraudsters continue to seek out weaknesses for stealing HELOC loan funds, so it is important to understand where these weaknesses may exist and put the right precuations in place to protect against any potential exposure.
If your financial institution offers HELOC loans, we recommend adopting the following best practice strategies to protect against a HELOC loan fraud exposure of any kind:
HELOC Loan Fraud Prevention Tips
- Confirm when the individual joined the financial institution to verify there is not a stolen ID or synthetic ID theft exposure.
- Confirm the identity of the individual requesting the HELOC loan using multiple layers of authentication prior to approval and disbursements.
- Confirm your HELOC loan program is protected by authentication layers at every stage of the loan process, including opening of the HELOC loan, HELOC disbursements by the financial institution or borrower, and HELOC payments made by the borrower.
- Confirm you have written policies and procedures established for each part of the HELOC loan process and share these with employees throughout your financial institution.
- Consider how your borrowers can make HELOC loan payments and you are managing the risks on these payment types. For example, if you allow for ACH payments on a HELOC loan, make sure to monitor your HELOC payment reports daily so you can catch and resolve any returned payments. The receiving depository financial institution (RDFI) has 60 days to return an “unauthorized” ACH debit back to your financial institution.
- We strongly recommend you do not make funds available until you have confirmed the payments are good funds from the borrower. For example, if you receive a HELOC payment by check, do not open the available line of credit until the check payment clears from the other financial institution.
Also require that a HELOC loan disbursement agreement be signed by your financial institution and borrowers at the time of loan approval. Within the agreement, outline the authentication requirements and risk prevention methods enforced for each type of disbursement. Ensure you communicate with your borrowers what these protections are and how they will prevent fraud:
- HELOC checks. If offering paper checks to borrowers for obtaining funds from the HELOC loan, we recommend you use “positive pay” or “payee positive pay” where the borrower advises if they are going to write a check against the available line of credit. If any HELOC check attempts to clear and the borrower failed to notify you, the check should be returned to the financial institution who accepted the check as a deposited item and your institution could be exposed to a self-retained loss.
- HELOC cards. If offering a HELOC card, you should put in place a daily dollar limit. The borrower must notify you for authorization to lift the daily dollar limit. If the daily dollar limit cap is temporarily changed, multiple layers of authentication must be obtained by you. Once the HELOC card transaction is performed, the daily dollar limit must be set back to your policy standards (Best practice is $10,000 on credit cards, but many financial institutions are lowering these daily dollar limits based on a case by case basis). Confirm all the layers of card security measures are in place for the HELOC card program and the cards will only authorize with “chip on chip” card transactions. (POS 05)
- ACH credits. If offering ACH credits for the disbursement of the HELOC funds, we recommend you require borrowers to use “positive pay” or “payee positive pay.” Make sure to also require multiple layers of authentication before disbursing funds.
- Wire disbursements. If offering wire disbursements for the HELOC funds, it’s best to follow your outgoing wire policies and procedures to help prevent the risk exposure. We also recommend your institution establishes daily dollar limits on HELOC wire disbursements and requires multiple authentication layers, including a password/passcode, agreed upon security questions, and validation call backs/texts to phone numbers provided by the borrower. Your institution should also confirm that you do not allow an internal transfer to another account when a HELOC wire is sent out.
- Internal transfers. If offering internal transfers from HELOC funds, it's essential you impose multiple authentication layers before releasing the funds - no matter if the request is performed via online banking or through your financial institution or card processor's call center. Pay special attention to any type of internal transfer from the HELOC loan disbursements where the funds are moved to a share or share draft account (savings or checking) and then withdrawn by wire or a share draft.
With the increase of identity theft at account opening and account takeover, it is extremely important we continue to share information across all channels within the financial institution. In today’s environment, early warning signs of potential fraud will help prevent fraud if the bad guy is attempting to get in and cause a financial loss. Working together and educating each other is a WIN, WIN to prevent the HELOC loan fraud risk exposure.
Ann Davidson is vice president of risk consulting for Allied Solutions, which provides customized services and insurance programs to financial institutions.