How Real Estate Agencies can safeguard against Internal Fraud: Top Strategies for protecting client funds

Introduction:  

Top 3 Bullet Points:

• Restrict and monitor employee payment permissions: Limit access to high-risk functions, ensuring only necessary employees can process payments and manage client funds to reduce fraud risk.

• Implement dual approval for sensitive transactions: Require two employees to sign off on high-risk actions like changing bank details or making payments to prevent fraudulent activities.

• Track user actions and regularly audit permissions: Assign unique logins, track user activity, and audit permissions to prevent unauthorised access and ensure accountability in managing client funds.

Internal fraud remains one of the most significant threats to the real estate sector, with agencies handling substantial sums of client money. The Association of Certified Fraud Examiners (ACFE) ranks real estate among the top five sectors most vulnerable to internal fraud, and when fraud occurs, the financial losses are often more significant than in other industries. In this high-stakes environment, safeguarding client funds should be a top priority for real estate professionals.

With the right internal controls and security measures in place, agencies can protect both their clients and their own reputation.  

Here are four critical strategies to mitigate the risks of internal fraud in real estate agencies.

1. Control employee permissions to prevent fraud

Real estate professionals are frequently tasked with managing large amounts of money, particularly when dealing with rental payments, deposits, and other client funds. Unfortunately, these transactions are prime targets for fraudsters within an agency.

Sarah Fourie, an expert from PayProp, emphasises that it's crucial for agencies to restrict and monitor who has permission to make payments, and how these payments are made. To avoid internal fraud, one of the most effective steps is to limit access to payment processing to only those employees who need it to perform their job duties.

What should you ask yourself?

• What permissions do your employees need, and what permissions do they actually have?

For example, the ability to set up new payment beneficiaries, change beneficiary details, make payments, and release damage deposits should be granted only to authorised staff members. It’s important to ensure that this access is granted only when absolutely necessary, and that employees do not have permission to carry out high-risk functions unless they need it for their job.

Regularly auditing user permissions is critical. Staff roles and responsibilities change over time, and employees who no longer need access to certain functions should have their permissions revoked. Additionally, any former employees should be immediately removed from the system to prevent unauthorised access.

2. Implement dual approval for sensitive transactions

In real estate, high-risk functions such as making payments, changing landlord banking details, or adding new payment beneficiaries can create opportunities for fraudsters to divert funds. As a result, it is crucial to establish a system where no employee can carry out these functions without oversight. The ACFE suggests that the more eyes you have on sensitive transactions, the less likely fraud will occur.

What should you ask yourself?

• How many people need to be involved in making payments?

Incorporating dual approval is a practical and effective way to prevent fraud. For example, before any payment is made or beneficiary details are updated, two employees should review and approve the transaction.

This reduces the likelihood of one person committing fraud without anyone noticing. If this is not feasible, especially in smaller agencies, agencies should focus on thoroughly auditing all user activity to ensure that fraudulent actions are caught as soon as they occur.

For agencies with a larger workforce, requiring multiple sign-offs on high-risk actions like approving beneficiary payments can add an extra layer of protection. In smaller agencies, even if dual sign-off isn’t practical, it’s critical to ensure that staff members’ actions are being continuously monitored through regular audits.  

3. Establish strict protocols for changing beneficiary bank details

Changing beneficiary bank details is one of the most common methods fraudsters use to redirect payments into accounts they control. While there are legitimate reasons for changing bank details, such as a client opening a new account, it’s also a key opportunity for fraud.

What should you ask yourself?

• What is your process for changing beneficiary bank details?

Requiring dual approval before making changes to bank account details can significantly reduce the chances of fraudulent activity. However, the risk doesn’t end there.  

Fraudsters may attempt to deceive employees with emails that appear legitimate, leading them to approve fraudulent bank changes. To prevent this, agencies should go one step further by verifying the change with a phone call to the client or beneficiary, confirming the request directly, and even asking for proof of bank account ownership before proceeding.

Additional Tip

Ensuring that all bank changes are cross-referenced and verified before execution provides an additional layer of security against potential fraud.

4. Track user activity and review security regularly

It’s not enough to simply restrict access to sensitive functions; agencies must also implement systems to track and monitor every action taken by their employees. This allows agencies to quickly identify any unauthorized or suspicious activities. Without strict tracking systems in place, it becomes difficult to pinpoint which employee is responsible for a particular fraudulent transaction.

What should you ask yourself?

• How do you track user actions within your agency?

To improve accountability, ensure that every employee has their own individual account and login details. Account sharing can complicate the process of identifying who performed specific actions. In addition, it increases the likelihood of former employees retaining access to your systems after they have left your company, which poses a significant security risk.

Audit logs and activity tracking systems should be in place to monitor each user’s actions, including any changes made to beneficiary details or client payments. If an employee with access to high-risk functions leaves, it’s critical to revoke their permissions immediately and review the system for any unauthorised access.

Conclusion

Internal fraud is a serious threat to real estate agencies, but with the right strategies in place, it is possible to minimise this risk. By controlling employee permissions, implementing dual approval for sensitive transactions, establishing strict protocols for changing beneficiary details, and regularly tracking user activity, agencies can safeguard client funds and maintain their reputation.  

In a time when fraud risks are high, ensuring that your agency’s security is watertight should be a top priority. Prioritising these practices not only protects your business but ensures your clients’ trust and confidence in your services remain intact.

‍