American Express Spruces Up its Email Confirmations

American Express, long one of the savviest financial marketers, recently updated the look of its routine "payment received" email confirmation.

Amex_payment_confirmation_1It’s a nice change from the typical text-only message. Key features include:
– last 5 digits of card number for verification
– account login
– balance transfer offer
– Blue Cash offer

But the "Dear Cardmember" salutation is a mistake.

With all the hysteria about phishing and email fraud, the opening should be personalized, both to differentiate itself from SPAM and to insulate cardmembers (and itself) from phishing attacks. This is especially important in a communication which includes a built-in login button, an inviting target for phishers.

American Express does provide several unique identifiers: the last 5 digits of the card number, the payment date, and payment amount. But those aren’t instantly recognizable to all cardmembers. The combination of account name and the last few digits is much more effective (see Citibank article).

Grades
A  for look & feel
A- for cross sales (two offers might be a bit much)
A for self-service with five links to popular online card management functions
B- for security (last 5 digits included, but no cardholder name, no mention of how to verify the authenticity)
————————–
A- overall

JB

If you’d like to learn more about the bank and financial services email trends, check out Email Marketing in Financial Services: Leveraging the Inbox from our sister publication, the Online Banking Report.

Financial Institutions with the Longest Online Archives

In the most recent issue of Online Banking Report, we outlined an important competitive feature going forward: online archives.

We sampled 50 financial institution websites and found the longest archives as follows:

Statements – 24 months at The Whitney Bank
Transactions – 58 months at ING Direct (since inception of the bank)
Images – 84 months at E*Trade Bank

Frost_logoWe’ve just been alerted that Frost Bank has real-time statement archives dating back to 1997, a full 100 months and counting. That’s nearly 5 times the length of our previous front-runner, The Whitney. And effective July 17, Frost will also have 18 month image and transaction archives, double the average length of our sample banks.

Finally, if you sum the archive length across all 3 types, Frost’s 136 (11 + 18 + 18) is the clear winner. Runner-up is E*Trade at 126. No one else is higher than 70.

Keep those cards and letters coming. Email me if you know of anyone who has longer archives than those listed above.

P.S. Another one we got partially wrong: HSBC provides 24 months of archives for deposit products and 12 months for credit cards. We reported 12 months for all.

JB

Chase Ends Last Major Experiment with Scan-and-Pay Bill Management

PaytrustEffective Monday, Chase Bank will end its four-year experiment with so-called scan-and-pay bill payment (download the email announcement below). Popularized in 1999-2000 by Cyberbills, PayMyBills.com, and PayTrust, the service allowed users to have their mailed bills redirected to the service provider where they were scanned and posted to a website. Users were alerted to the new bills and could pay them through a variety of methods.

Download final email announcing the termination of Chase Bank's "Premium Plan" total bill management service

As demand failed to materialize, the three service providers all ended up under Metavante ownership. Last year, Metavante sold the remaining PayTrust business to Intuit. Chase was the only major bank to offer the service, using it as the premium option in a three-level product line (see OBR 82, p. 8).

Analysis
This is a service that sounds great on paper, but is too complicated for the benefits provided. Winning electronic bill payment services need to provide quick payback with a minimal learning curve. That's what so nice about CheckFree's new system that allows users to add a new biller by simply entering the biller's phone number.

While the few users who took the trouble to redirect their bills and set-up automated payments were quite satisfied, it was just too much trouble for all but a fringe group of highly-organized computer-savvy types, the kind of person who is a long-term user of Quicken. So it makes a lot of sense that the sole remaining provider of the service is Intuit.

JB

 

Low-Cost Bank Logos

Vista_by_logoworks This isn’t the kind of thing you usually find in The Wall Street Journal, but today they ran an article in their Small Business column about low-cost graphic design services from LogoWorks.com. Their financial clients include Peach State Bank and Vista Federal Credit Union.

For $385, three different designers will each provide 2 or 3 logos based on your written input. The flat-rate price also includes unlimited revisions to the designs and turnaround time is 72 hours. For those on a really tight budget, a $265 option puts just two designers on your account and limits revisions to two rounds.

Analysis
Distinctive logos are a great way to improve the professionalism of your website and LogoWorks makes it extremely simple and cost effective to get just what you need in a timely fashion.

For more information, read Online Banking Report (100/101), Financial Website Usability: Homepage 

JB

Update: Bank of America’s SiteKey Goes Live in Tennessee

Sitekey_coming_soonBank of America issued a press release saying that it went live today in Tennessee with its OBR Best-of-the-Web-winning multi-factor authentication system. However, a search of the bank's website, using Tennessee as our state, found no mention other than the "coming soon" paragraph that's been posted for the past several weeks (click on inset to read).  

">Read our previous article.

–JB

 

U.S. Bank Splashscreen Announces Bill Pay Improvements

Usbank_splashscreen_1U.S. Bank, with more than 1 million online banking customers, just went live with CheckFree’s latest bill payment system (see OBR 113, p. 11). The improvements were communicated to current customers via a splashscreen the first time they went into the bill payment system (click on the inset above for a close-up).

The changes were also highlighted on a splashscreen after online banking login (see inset below). Customers also received a letter with similar information.

Improvements

  • Much better user interface
  • Integrated checking account balance
  • Faster payments for some merchants, some with same-day delivery
  • More customer-friendly terminology such as "biller" instead of "payee"
  • Slick add-a-biller function keyed off phone number (which really works, I added myself as a biller by typing my phone number, clicking "enter", confirming that it was the right address, and clicking again…took about 10 seconds!)

Analysis
The reason for this article is to highlight the effectiveness of splashscreens for communicating important new information. PayPal has been using this technique Usbank_splash_main_1practically since inception and we’ve commented on it a number of times in Online Banking Report.

We are now starting to see the technique at other financial institutions. We believe it’s an extremely effective technique for two reasons:

  1. Users are surprised to see a screen they weren’t expecting, so they are naturally curious to find out what’s going on.
  2. Users are forced to navigate past the screen in order to do their banking, usually with a button at the bottom of the screen; so they have little choice but to scan the content.

However, you have to be careful not to overuse it. Anything more than once per month and users will start clicking past it like they do with most advertising intrusions. 

If you are not using this technique, talk to your website development team, or outside platform provider, about how to incorporate it into your online marketing mix.

JB

RF Technology for Online Banking Login?

Chase_blinkNow that Visa, MasterCard, and American Express and others are actively putting so-called contactless cards into the hands of consumers (Chase’s blink for instance), it’s not such a far-fetched thought that these radio-frequency (RF) cards could be used as the extra factor for online banking login.

PCs equipped with RF card readers could read the user’s plastic, allowing the user to log in securely with just a username/password, or conceivably just a password.

But PC makers aren’t going to add card reading technology, no matter how cheap it is, just for online banking. But if merchants began insisting on the RF readers to cut down on card fraud for online purchases, perhaps with the associations agreeing that a purchase made with a PC-based RF reader qualified as a "card present" transaction, then the technology could take off.

Using contactless cards online could be more beneficial than using them for off-line purchases. In the physical world, the contactless card merely saves a few seconds compared to swiping it through a conventional terminal. But online the savings could be more dramatic, potentially allowing the customer to skip typing their card and verification number into a web forms. 

JB

Capital One’s Savings Accounts

Capital_one_savingsWith the success of ING Direct and other direct banks, there has been a lot more attention given to selling savings accounts and certificates online.

One of the new players to watch is Capital One. They are beginning to apply their marketing skills, honed in the brutal credit card market, to deposit products.

Cap_one_google_ad_1Googling "online banking" today, we noticed Capital One in first position on the right-hand sponsored links area (see inset).

Clicking through you are delivered to a page that markets deposit products much more aggressively than most banks (see screenshot below). Capital One leads with a chart showing its rate compared to the national average (see inset above).   

The bank offers five different savings products on the main page, each with its own distinct Open Account button:

  • 3.15% High Yield Savings Account (the lead product at the top)
  • 4.03% No Regrets CDs (allows purchasers to bump-up their rate)
  • 3.25% Money Market Accounts
  • 4.50% Certificates of Deposit
  • 4.29% IRA CDs

Analysis
The relatively high rates (APYs) are a big part of the appeal. But there is more to it than just price.

Capital One does a great job of laying out the options, including:

Capital_one_savings_pageClick on this thumbnail for a look at the main savings page at Capital One.

JB

2004 Online Financial Services Ad Spending

JP Morgan Chase and Citibank led all banking and lending companies in online ad spending according to the most recent American Banker survey of financial services spending (May 2005).

Chase’s $50 million in online advertising was 21% of its entire advertising expense, the highest among major banks, and considerably above the 11% online share across all financial services companies. In comparison, Citi’s $49 million spent online was only 9% of its total advertising expense, slightly below the industry average.

NetBank, the 16th biggest online advertiser, was the percentage leader, funneling all but $100,000 of its $4.9 million in advertising into online initiatives. Two other major online advertisers spent more than half their money online last year: ING Direct spending 60% of its $40 million total online, and MBNA spending more than half its $14 million online.

Lending Tree, Quicken Loans, HSBC, Sovereign and East-West Mortgage all devoted about one-third of their advertising into the online channel.

Top-20 Financial Institutions Online Advertisers*
2004 Online Advertising (% of total advertising)*
1. JP Morgan Chase  $50 million (21%)
2. Citigroup              $49 million (9%)
3. American Express $28 million (9%)
4. Bank of America    $25 million (9%)
5. ING Direct            $24 million (60%)
6. Lending Tree        $22 million (31%)
7. Ameriquest           $16 million (13%)
8. Quicken Loans       $10 million (33%)
9. Wells Fargo           $9.2 million (14%)
10. HSBC                  $8.3 million (39%)
11. MBNA                  $7.0 million (51%)
12. Wachovia            $6.3 million (7%)
13. E-Loan                $6.1 million (21%)
14. NetBank              $4.8 million (98%)
15. Discover             $4.7 million (6%)
16. GM                     $3.8 million (4%)
17. Royal Bank          $3.2 million (12%)
18. Sovereign           $2.8 million (33%)
19. East-West Mtg.    $2.7 million (32%)
20. WAMU                $1.9 million (2%)

*Banking, Lending, Mortgage, or Credit Card segments only, does not include online brokerage, insurance, or investments.

If you look at the brokerage and mutual fund category, the spending accelerates. Four online brokers Ameritrade ($65 million), Scottrade ($63 million), Schwab ($58 million), and E*Trade $52 million) each outspent even the largest financial institution, and Netstock Direct ($32 million) outspent all but Citi and Chase.

Top-10 Brokerage & Mutual Funds

2004 Online Advertising (% of total advertising)

1. Ameritrade   $65 (64%)

2. Scottrade     $63 (87%)                              

3. Schwab        $58 (35%)                              

4. E*Trade        $52 (77%)                              

5. Netstock       $32 (99%)                              

6. Harrisdirect  $24 (78%)                              

7. Vanguard      $12 (31%)                              

8. TD Bank        $10 (17%)                              

9. Fidelity        $5.3 (4%)                               

10. T.Rowe Price $3.8 (5%)

Download the Excel file with more details.    

 

JB                     

Stonebridge and American Bank Offer Secure Account Login

Etrade_rsa_tokenToday's American Banker reports that $365 million-asset Stonebridge Bank (West Chester, PA; $365 million) and American Bank (Allentown, PA; $500 million) are following E*Trade's move to offer hardware tokens to authenticate consumer logins.

As of May 30, Stonebridge is offering the token free-of-charge to any of its 4500 consumers who request one. The token will be mandatory for its 500 business customers. In its security FAQ, the bank says it will charge $25 annually, its out-of-pocket expense for the device, after the first year. They also charge $25 to disconnect the token during the first year and $25 to replace it within 5-7 business days, or $45 total for overnight delivery.

American Bank is sending the token to 1000 customers who said they would like one in a recent survey. There is no charge for the service. The bank expects to order another 1000 from RSA Security next month. It pays approximately $20 each, which does NOT include maintenance costs to operate the system.

Analysis
We applaud these three financial institutions for moving beyond the username/password. However, except for the most demanding customers, primarily businesses, hardware-based solutions are overkill.

The Bank of America/Passmark approach is much better. Not only is it more cost effective, it also much easier to use and also helps prevent the user from logging in at a fake site. 

JB

 

 

 

Citibank Fights Fraud with Personalized Emails

Citi_secure_email_closeupIt’s fitting that the financial company most targeted in phishing attacks, Citibank, would be the first to introduce a new email format that goes a long way towards helping users identify legitimate email messages.

Citi_secure_email_message The personalized emails (click on inset to enlarge) include not only the name of the recipient, but also the last 4 digits of the user’s ATM card. While simple personalization with the customer name would help many users identify legitimate emails, it’s far from fool-proof.

First, there’s the relatively common practice of including first name and/or last names in email addresses. Also, some phishers are using direct marketing tactics and first running email addresses through various databases to append actual names and other info to the email record in order to develop a personalized pitch (see ZD-Net article).

Citibank’s new email format was announced to customers through a short message on the top of the online banking screen in early May. It is also now mentioned in the bank’s main FAQ page.

Analysis
This is a great first step in winning back the confidence of users. Eventually email standards will evolve so that the email client will be able to readily identify legitimate emails, but that could be years in the future.

If you are considering a similar approach, you might want to let users choose the name and identifying information that appears in the personalization box. In February, we reported on a UK security initiative that took that approach.

For more information:

JB

Editor’s Note: Citibank received an OBR Best of the Web award for this and other security features in Online Banking Report #119, "Marketing Security."

Bank of America Unveils Multi-Factor Security for Consumer Accounts

Obr_bestofwebBank of America wins the race to be the first with a viable plan to secure consumer online banking accounts. In an announcement today, it becomes the first major U.S. bank to endorse multi-factor authentication for consumers at login.*

The system, already in use at Stanford Federal Credit Union, is called SiteKey. The clever approach from Bill Harris’s PassMark Security provides several layers of security to defeat phishing and keylogging attacks. The company calls it two-way two-factor authentication because not only does the end-user authenticate themselves to the bank, the bank authenticates itself to the user to defeat phishing schemes.

Here’s how it works (click on inset below for BofA page):

  1. User provides username
  2. BofA verifies that the login request is coming from the user’s previously registered computer; if NOT, user must successfully answer a challenge question based on previously registered shared secrets
  3. After passing steps 1 and 2, the user is shown their previously selected image, so they know they are logging into the true BofA server
  4. User enters their password

The service launches in mid-June in Tennessee with full roll-out by the end of the year.

Bofa_sitekeyAnalysis
Even though it’s long overdue, we applaud Bank of America for moving the industry forward. While the program won’t be available system-wide until year-end, we’re giving it an Online Banking Report "Best of the Web" now because it’s the biggest development in U.S. online banking for several years.

The BofA/Passmark system is ingenious for several reasons:

  • Unless a user logs in from a new computer, there is little extra work involved; just a two-step login with username, followed by the password
  • Requires no hardware or out-of-channel coordination by the end-user; shouldn’t cause a major increase in customer service expense
  • Defeats phishing by displaying a personal image prior to asking for password
  • Defeats keylogging with the rotating challenge question

If you are at one of the other 15,000 financial institutions in the United States, the clock is now ticking. As your customers find out they are not among the 13+ million consumers (BofA’s current online base) receiving extra protection, they will be demanding the same from you. And if you thought BofA was aggressive in its free bill pay promotion, wait until you see the marketing blitz on this one. Extra authentication simply MUST BE in your 2006 plans.

JB

*For several years, ING Direct has asked for a third bit of info at login, but the necessary info is relatively easy to obtain (for example, zip code). Also, earlier this year, E*Trade launched security tokens for its high-rollers. But BofA is the first with a broad, secure, and non-hardware-based approach.