Many banks are now evaluating the pros and cons of using the new “.bank” domain. For those not already in the know, rather than continuing to use the generic “.com” domain, qualifying banks can soon switch to a more descriptive .bank top-level domain name. For example, a bank’s website address might read www.XYZinstitution.bank, rather than www.XYZinstitution.com; and its emails name.employee@XYZinstitution.bank. In 2012, fTLD Registry Services, LLC (formed by the Financial Services Roundtable and the American Bankers Association) applied to ICANN for the right to issue and manage the .bank generic top-level domain names. On September 25, 2014, fTLD was granted these rights, and it promptly established a roll-out schedule for the issuance of the .bank domain name. For those few financial institutions who hold registered trademarks in their names, open enrollment began last Sunday, May 17, 2015. For all the other banks, those without registered trademarks, general availability enrollment will begin at 8:00 pm, EDT, on June the 23rd.
Will there be Enhanced Security for the Bank?
The .bank protocol promises more security for the wild west of the internet. The new bank domain has 31 articulated security features, with one of the more significant features being the upfront clearance by the domain name registrar. Only federally or state chartered financial institutions will be able to acquire a .bank domain name, except for limited service providers as is discussed later. Others in the general public will not be permitted to acquire a .bank domain name. In addition, fTLD will impose the following security measures:
- Mandatory re-verification of registration data every two years or at domain renewal, whichever comes first;
- Requirement of domain name system security extensions (DNSSEC). fTLD will require that all domain levels, from fTLD as the top-level registry operator to the banks or other financial institutions as registrants, to utilize DNSSEC for domains that resolve on the Internet;
- Email authentication;
- Multi-factor authentication;
- Enhanced encryption; and
- Prohibition of proxy/privacy registration services. See https://www.ftld.com/faq/.
Further, bank and financial institutions that obtain a .bank domain must maintain Transport Layer Security 1.1 or greater, must follow the best practices described in RFC 6781, and must agree to comply with the obligations contained in a long list of fTLD policies, including an anti-abuse policy. See https://www.ftld.com/WP/policies/.
Enhanced Security for Your Brand?
Reasonable debate exists as to whether the market place will reward those who move to a bank domain. However, because of the domain’s enhanced qualification requirements, it is expected that fraudsters will find it harder to phish customers of a bank, as the use of .bank email will be forbidden to them, or to otherwise spoof the bank’s website and communications. This may increase consumer confidence in, and encourage the additional use of, on-line banking services. Recall that one of the nation’s most infamous cyber attacks happened because a senior level business executive of a commercial customer was fooled by a fraudster’s emails into interacting with a spoofed web page that mimicked the customer’s bank. See Experi-Metals v. Comerica Bank, U.S.D.C., ED of Mich. (Lawsuit filed 2009). Given the incalculable value of a bank’s business reputation, and the more measurable values of encouraging customer’s to migrate to on-line banking platforms, these issues should be considered within the ROI analysis.
Is it Worth the Cost?
Any change to a primary method of communication will entail a range of direct and indirect costs. And a change to your core email address is the modern equivalent of changing the institution’s physical mailing address, back when exchanging letters was the normal method of communicating with account holders and borrowers. Some of the more direct costs associated with the domain change are discussed below. But, resulting cost savings may be captured in other operational areas. For example, the FFIEC’s Examination Manual directs the “appropriate hardening and monitoring of domain name.” As material line items of the bank’s IT budget are devoted to this requirement, such as the acquisition and updating of certain firewalls, consequential purchases of such technology vendors’ products and services may be adjusted in scope and expense. But how the regulators and our courts will ultimately perceive the protective value of this top-level domain is beyond prediction. In particular, great interest has been expressed as to whether examiners will view this top-level domain as in accord with the FFIEC’s recommendations for robust and layered authentication security and/or whether the domain’s adoption is favorably viewed under the regulators’ new emphasis on a data security “culture” for the business’ leadership. Also unknown is the underwriting and pricing analysis which the cyber insurance market will subsequently follow for adopters. Lastly, by common acclaim the bank’s customers are the weakest link in the security chain, at least as to third-party (non-insider) internet attacks and fraud schemes. Whether the use of the bank domain protocol will reduce cyber fraud incidents, and the value(s) one places on avoided e-banking loss events, must be considered.
If a bank has an interest in obtaining a .bank domain name to make use of immediately or to hold on to it while adopting a “wait and see” attitude, the steps to take are outlined below. Unlike a relatively inexpensive .com domain name, a .bank domain name will cost in the nature of $1,000 per year.
When the Bank/Financial Institution has a Federal Trademark Registration
When a bank or financial institution has a federally registered trademark and it has also recorded its trademark registration with the Trademark Clearinghouse, then the bank or financial institution can apply for the .bank domain name beginning on May 17. The federally registered trademark MUST exactly match the domain name to be registered. For example, if the bank or financial institution has a federal trademark registration for “XYZ Bank Easy Access Account” but not for “XYZ” or “XYZ Bank”, then the bank does not qualify for early registration of xyz.bank or xyzbank.bank. A state registration of a bank name will not qualify the bank for early registration.
To the extent a bank or financial institution has a federal registration of its name, it should immediately record that registration with the Trademark Clearinghouse, which will confirm the validity of the trademark registration so that the bank or financial institution is in a position to immediately apply for .bank on May 17. Frost Brown Todd is one of the 180 approved agents for the purpose of validating registered trademarks for the Trademark Clearinghouse. See http://www.trademark-clearinghouse.com/agents?field_company_name_value=frost+brown+todd&name_list=All&continent_list=All&field_support_languages_value=All&=Apply. To contact Frost Brown Todd to record your trademark registration with the Trademark Clearinghouse contact us at firstname.lastname@example.org or at 614.464.1737.
If the Bank/Financial Institution Does NOT have a Federal Trademark Registration
If the bank does not have a federal registration of its name, then the application period for .bank begins on June 23.
In the beginning, banks were local or regional institutions only, and it has only been in the last several decades that banks and financial institutions have aggressively expanded outside the area in which the bank got its start. As a result, many banks and financial institutions do not have a federal registration of their name, because there are often many other banks in the United States with the same name, thus precluding any one entity having nationwide ownership of the name.
As with the .com domain name, when more than one bank has the same name and wants that name as its domain name, the .bank domain names will be issued on a first come, first serve basis.
Getting to the Front of the Line for .bank
It is impossible to know yet how the .bank registration process will work on June 23, when the registration process is available to all banks and financial institutions. One option that may improve the odds of getting the desired domain name is to sign up for a pre-clearance process. One registrar that is offering this service is Encirca. It is difficult to know whether this process will work, but there doesn’t seem to be a downside. The pre-clearance sign up option offered by Encirca can be found at http://www.encirca.com/cgi-bin/sunrise/bank-prescreen.cgi.
The approved registrars for .bank can be found at the following link:
Most .bank registrars charge around $1000 per year for the registration and ongoing renewal of the .bank domain name. The registrars justify the additional cost as compared to a .com registration by noting that .bank registrars engage in significant upfront clearance procedures and ongoing monitoring. Additionally, .bank registrars must themselves have additional security infrastructure and monitoring in place.
There is expected to be no cybersquatting with the .bank domain names. The registrar will not make available a .bank name to a bank or financial institution unless it meets the following requirements:
The domain name must: (1) correspond to a trademark, trade name or service mark of the business or organization; and (2) not be likely to deceive or cause material detriment to a significant portion of the banking, insurance and/or financial services communities, its customers or Internet users.
See fTLD’s Name Selection Policy at https://www.ftld.com/WP/wp-content/uploads/2015/03/fTLD-Name-Selection-Policy-BANK-20150316.pdf.
A few non-bank, non-financial institutions will be permitted to register a .bank domain name. They are service providers predominately supporting regulated financial entities, such as the Kentucky Bankers Association, FIS, Fiserv, SWIFT, etc.
Because of the compliance obligations for the .bank domain name holder, there is the risk that the financial institution could fail to either qualify for, or if qualified, to maintain procedures acceptable to, the registrar. Seehttps://www.ftld.com/WP/policies/. In such cases, the registrar has the right to deny, cancel or transfer any registration, or place any domain name on registry lock or similar status, either temporarily or permanently. See https://www.ftld.com/WP/wp-content/uploads/2015/03/fTLD-Acceptable-Use-Anti-Abuse-Policy-BANK-20150316.pdf. Hopefully, such an extreme act by a registrar would not be taken lightly. As an ever growing portion of a bank’s business is now conducted online, having a bank’s website down for any noticeable period of time would have significant adverse impacts.
One of the highest court’s to address cyber fraud risk aptly noted that the tension in modern society between security and convenience is on full display in this area of a bank’s business. See Choice Escrow & Land Title v. Bancorp South. The same dilemma exists as banks evaluate the pros and cons of moving to a .bank top-level domain name.