Back to Blog

Bank of America Launches SafePass, but You’d Never Know From its Website

If you were in the office yesterday, you probably heard about Bank of America's announcement of SafePass, an optional out-of-band authorization technique for high-risk online banking transactions. It was all over the news, including the trades, blogs, and a few mainstream press articles. Here's the press release.

The system, common in many countries, but available only at Citibank in the United States (previous coverage here), sends users a 6-digit code via text message. The code is then entered at BofA's website to authorize larger transfers, new bill-pay merchants, new accounts for funds transfer, or to login from a new computer, not previously "registered" for online banking. VeriSign developed the technology.

The service will roll out across the BofA empire this year, with many customers having it as soon as next week. Next year, a wallet-card token "SafePass card" will be offered for customers who don't have text-messaging capabilities on their phones.

Analysis
SafePass is a solid enhancement to security, at least perceived security, since it probably won't do much to cut down on actual fraud losses. It's already pretty difficult to get through BofA's security gates and pull money out of someone's online account. The bank did the right thing in making it optional. Only the paranoiacs, road warriors, or those with unusually high transaction amounts will want to undergo the extra steps.   

So while it may be ho-hum in terms of fraud reductions, SafePass is brilliant marketing (note 1). It's a tangible and easily understood copy-point as to why one should choose BofA over the other 15,000 U.S. financial institutions. Think of the bragging rights they now have (all firsts are U.S. only):

  • First to integrate mobile messaging into the authentication process
  • First to offer optional extra security
  • First to safeguard the process of adding a new bill payment payee
  • Potentially first to offer choice of token or mobile text message for out-of-channel authorization
  • Only bank able to put "SafePass" on their websitea very good name
  • Able to say, "no one has more security options than us"
  • Able to say they are a "pioneer in security enhancements"
  • Able to they "put the customer in charge of their own extra security"
  • And so on …

Congratulations to Bank of America for once again raising the bar in online security.

Rant
While I like what the bank has done, once again I find it astonishing that even 48 hours after releasing the news in a press release here, THERE IS NOTHING ON THE BofA WEBSITE ABOUT IT. A site search for "SafePass" pretending to be from North Carolina, New York, or California results yields just a single obscure business insurance product. Bank of America's search doesn't even return the press release announcing the service!

SafePass is also not mentioned in the bank's security, online banking, or mobile banking sections. I've worked in a Fortune 50 company, so I understand all too well how hard it is to sync advertising, PR, sales, and so on at a huge company. But with 22 million active online banking users, you'd think BofA would be a leader in syncing its website to its marketing plan. 

Am I being overly critical?  It's certainly worth writing about. 

Note:

1. For more information on the synergy between security and marketing efforts, see our full report on the subject at Online Banking Report.