OBR Special Report on New Safe Banking Initiative

www.safe2bank.com

Fed by media reports, often wrongly implicating online banking in fraud
problems the public is becoming exasperated with the growing assault on
their computing. Spyware, adware, spam, viruses, worms and phishing are
enough to drive consumers back to that comfortable spot on the couch where
all they have to worry about is what show’s on next.*

04-dec-c01.jpg

At Online Banking Report, we’ve watched the growing backlash with great
concern. Although we’ve written about it, we want to do more. We’ve been
telling reporters for years that overall online banking is safer than
the paper processes it replaces. To get that message out to a broader
cross-section of consumers, we are launching the Safe Banking Initiative
(SBI) to foster education and awareness of safe online banking practices
within the industry and to educate the marketplace, especially the media, as
to the real risks of various banking and payment options, both online and
off. Its business model will be similar to the Underwriter’s Lab in
the electrical appliance field. The SBI website (under construction) will
contain educational information along with a database of certified banks.

Safe2Bank Online (S2BO) Certification

One of the first efforts will be the deployment of the Safe2Bank
Online Certification
program that will allow regulated financial
institutions to apply for a safe banking logo that can be displayed on their
websites. The idea is help consumers know when they are visiting a financial
institution that adheres to the Safe2Bank guidelines. We plan to make
the scorecard criteria open to the public via the Safe2Bank website, but the
weightings, actual scores, and score cutoffs will remain confidential
(although participating financial institutions will receive a full copy of
their weighted scorecard and comments).

 

The guidelines are still in development, and we are looking for your
input. The first draft is listed on pages six and seven. To become
certified, financial institutions must achieve a yet-to-be-determined
minimum score across the 80 items. Financial institution will not have to
pass all 80 guidelines to become certified, although there may be certain
required items such as a visible privacy policy, secure password-reset
procedures, and so on. Certified financial institutions will have their
names, Web addresses, and contact info listed on the Safe2Bank website. They
also have the option of licensing the mark to display on their own websites
and marketing material  .

To become certified, financial institutions must answer a questionnaire
on their online banking features and processes (all questions related to
publicly available material). Answers will be verified by an SBI employee
and scored using the criteria in Table 2 . Each factor will be weighted, and
partial credit will be available on certain guidelines. The resulting score
and comments from the evaluator will be shared with the participating
financial institution. The audit deals only with publicly visible features
and processes: it is NOT a back office or network security audit like the
SAS 70 or other regulatory reviews.

 

 

 

 

 

*As we were going to press, another story ran on The NBC Nightly News
about $90,000 lost by a small business apparently aided with information
obtained from a personal computer (reference:

msnbc.msn.com/id/6713753
).


 

 

Table 1

Safe Banking Initiative Timetable

Dec 2004 Industry announcement
Q1 2005 Online scorecard criteria
finalized
  Certification applications
accepted
Q2 2005 Safe Banking Online audits
begin
  First financial
institutions certified
  Safe2Bank Online public
awareness campaign launched
Q4 2005 Safe2Bank Online scorecard
revised

Source: Online Banking Report, 12/14/04

Timing & Cost 

Financial institutions are encouraged to apply now for certification. The
first wave of certified financial institutions will be announced at the
launch of the consumer education campaign, currently slated for second
quarter 2005. Financial institutions will be certified in the order of
application, so the earlier you return the reservation form, the sooner
you’ll be eligible. The cost for the certification audit is $500 payable
with your reservation form (see enclosed). The fee is not refundable,
but those not passing may reapply within 12 months for half price.

Licensing the Safe2Bank logo

Financial institutions passing the S2BO audit will have the option of
licensing our Safe2Bank Online logo for inclusion on their websites
and marketing materials. Licensing cost will be no more than $1000 annually
during the launch period. Final pricing will be announced in first quarter
2004.

Consumer Awareness Campaign

As the certification process unfolds, we will initiate a far-reaching,
consumer-awareness campaign. Part of that effort will be to help each
certified bank make a splash in their home market. SBI will assist in
issuing a joint press release and will participate in other media events as
well. Online promotional efforts will also be used to raise awareness of the
Safe2Bank designation.

Reservation Form

We have enclosed a signup form with this newsletter. Receive one via
email by sending a request to
anita@onlinebankingreport.com

  

Organizational Structure

The SBI is a wholly owned division of Financial Innovations, publishers
of Online Banking Report since 1995. The managing director is Kate Schultz
who brings to SBI a long track record of organizational leadership in the
nonprofit sector along with 10 years of contributions to Online Banking
Report. All guidelines will be reviewed by an industry advisory board
(below) before being finalized.

SBI Advisory Board

We consider every OBR subscriber to be an unofficial SBI advisor. So
please provide your input on the S2BO scorecard and any other aspect of the
initiative. We are also assembling a more formal advisory panel from the
industry to review the criteria and submit comments. If you would like to be
on the official panel, please email
kate@netbanker.com
. The position is voluntary and unpaid with a
relatively small time commitment**
(no meetings!). Membership is limited with preference to financial
institution employees.

Confidentiality

Although all the information obtained in the audit will be publicly
available, we understand the sensitivity of the industry to the threat of
hacking and leaks. Therefore, all audit results will be kept in
password-protected files on computers not connected to the Internet.

*Financial institutions are encouraged to obtain an opinion from their
compliance and legal staff on the ramifications and implied liabilities,
if any, of using the Safe2Bank logo.
**The time commitment should be no more than a few hours each quarter.


 

Safe2Bank Online Scorecard Beta Version 1.0

Table 2

Safe2Bank Online Scorecard

Source: Online Banking Report, 12/04

References: Security and Privacy Report, OBR 93/94

 

FraudEliminator – Online Security Toolbar

Because lack of trust and other security issues consistently rank first on the list of reasons why people don't bank online, we will continue to devote a seemingly inordinate amount of attention to this subject.

Fraudeliminator2That said, another new browser toolbar was recently released by FraudEliminator, LLC, a company founded just this year according to its website.

The toolbar is one of the better we've seen, combining excellent design with good functionality. Like eBay's toolbar, the FraudEliminator, monitors your and warns if a suspicious or flagged URL is entered in the address bar.

Fraudeliminator_toobar It's a good tool, but how does a user know that the FraudEliminator is not some malware in disguise? Unless the company spends millions educating the marketplace, this particular plugin will have trouble gaining a following.

However, if a bank were to partner with the program, releasing a co-branded or private-branded version, it could be a hit. The bank would provide the needed credibility while FraudEliminator LLC provided the technical expertise and support.

JB

TowerGroup posts Realistic Estimate of Phishing Fraud Losses

Link: TowerGroup

The financial services analyst continues to weigh-in on the estimated losses due to phishing and identity theft, with the latter becoming a catch-all for all financial fraud. Estimates from the FTC, Gartner, and Javelin have run into the billions.

Many media outlets have jumped on these estimates and made the incorrect leap that the losses were due solely to online fraud and phishing. Now, much more slowly the story is emerging that the actual online portion of these fraud losses is much smaller. Some even argue that online banking has reduced the total amount of fraud since consumers are able to pay closer attention to their accounts.

TowerGroup‘s latest report on phishing losses pegs the 2004 loss at $140 million worldwide; or about $1 per online banking household. That’s still a big number, and one that seems a bit high in our view, but it’s far less than the billion-plus implied by Gartner earlier this year. It’s also much less than the $500 million figure (for US only) recently released by the Ponemon Institute in a study commissioned by NACHA and Truste.

So is the online channel a help or detriment to the age-old battle against crime? From a monetary perspective, we believe it’s been a net loss so far. As Tower pointed out, it’s not just the actual losses, financial institutions spend far more in prevention and detection than they lose to the crooks.

But long-term, we are absolutely convinced it will be a much safer environment for banking compared to the paper-intensive processes it replaces.

— JB, jim@netbanker.com

Teller-Assisted Self-Service Platform : “Truly Automated Teller Machines”

04-dec-b01.jpg

Teller-assist terminals from Source Technologies could be deployed as a pod
around a human. This mock-up from the company’s website shows a relatively tight
arrangement. Initially, customers are likely to want a bit more privacy to feel
comfortable using the semi-self-service terminals.

 Teller-assist terminals can also be installed as standalone terminals
anywhere in a branch, or like traditional ATMs, in an off-site location.

 

Introducing The Safe Banking Initiative

Financial institutions must adopt new safeguards in 2005

04-dec-a01.jpg

We interrupt the regularly scheduled newsletter for an important bulletin: The industry1 MUST adopt stricter online authentication and monitoring tools or risk a damaging backlash against online banking and payments. To help spur innovation on the security front, we are launching a new effort called the Safe Banking Initiative, or SBI for short. We hope to create an Underwriters Lab (UL) type seal of approval for financial institutions to display on the websites and other marketing material.

BAI Retail Delivery 2004

On the way home from BAI’s Retail Delivery, I always try to reflect on the “themes” from this influential industry conference. This year it was all about integration: interbank (A2A) transfers integrated with bill payment; ATMs integrated with check processing; branches integrated with online banking; everything integrated with industrial strength CRM systems. 

My biggest aha! occurred at an unlikely spot. Normally, I skip the hardware displays with their legions of enthusiastic ATM salespeople, and head straight for the booths in the back where I always learn something from the online pioneers. This year my most memorable conversations were with Hill Ferguson, Melanie Flanigan, and the whole crew from Yodlee on the bus back to our hotel; Neil Platt and Sanjeev Dheer from CashEdge on the trade-show floor as they landed a major new bank account; and as always, catching up with long-time industry visionary Matt Lawlor from Online Resources.

But this year, thanks to an effective pitch from its Williams Mills rep, Jamie Stephenson, I found myself chatting with Miles Busby, founder of Source Technologies www.sourcetech.com  about his vision of the future branch. Think airport check-in, circa 2004, where rows of touch-screen kiosks greet flyers, run them through the check-in process, and spit out boarding passes. One or two attendants assist with checked baggage and answer questions posed by perplexed travelers using self-service for the first time2.

 

1We’re referring specifically to U.S. banks; many major banks outside the U.S. have already added rigorous and highly effective authentication processes; one major bank familiar to us has only lost a few thousands dollars year-to-date. 

2Alaska Airlines, the first airline to offer kiosk check-in, then later Web-based check-in, is considering eliminating the ticket counter altogether, a concept it is testing in Anchorage.

A Real Automated Teller Machine

Fast-forward to the bank branch of 2007.  Customers walk in the door and head directly to teller row, no lines. After swiping an ATM card and entering a PIN at terminals built into the counter, customers feed paper checks directly into the deposit slot. Instantly an image of the check appears on screen along with the amount of the deposit. After confirming, the total is added to the customer’s balance, the original paper s check returned as a receipt, and any cash-back is dispensed from the machine. Finally, the human teller asks, “Did you get that double billing on your credit card resolved
Mr. Poddenstopper?”*

The machines can also handle other routine transactions: loan payments and other bills could be paid by feeding billing statements into the machine, then selecting the account to debit; funds could be transferred within the bank or to accounts outside the bank; money orders, cashiers checks, and prepaid cards could be created right from the machine. Machines could be even be equipped to handle merchants, accepting and dispensing cash and coin, payroll checks, and prepaid employee cash cards.

The beauty of all this, not counting the labor savings, which Busby said could pay for the equipment within a year, is that it all ties in nicely with online banking. Upon return to their home or office, branch self-service users will be greeted with an email summarizing the transactions with links to online banking to view images of any paper checks or statements scanned in the branch, and to take any action related to the in-branch transaction. It’s similar to the way the airline check-in process is spurring travelers to go online and check-in prior to the trip to the airport.

Paperless Banking

Another chord struck at Retail Delivery was the growing threat to consumer confidence in online banking, and by extension banking in general, due to the proliferation of spyware, worms, Trojans, fake messages, as well as the mixed messages from financial providers, the media, and government regulators. Jim Van Dyke, whose Javelin Strategy www.javstrat.com  consultancy is doing pioneering work in this area, presented not one but two sessions on paperless banking. He looked at 44 criteria at 39 leading banks, determining that BofA, Wells Fargo, E*Trade, and Zions had the best total safety rating .

That’s great information on those 40 banks, but what about the other 20,000 U.S. financial institutions? How do consumers determine if they are dealing with a “best practices” bank or credit union? Not to beat our own drum too loudly, but we hope our Safe2Bank certification will go a long way in educating, and, more importantly, reassuring consumers and the media about real fraud threats, both on and offline.                                                                                       

 

Jim Bruene, Editor & Founder,

 jim@netbanker.com

*As soon as Mr. P swiped his card, his name, account history, and recent service issues instantly appeared on a screen visible only to the human teller. The customer record could also be enhanced with family names, pronunciations, and even the occasional cross-sell prompt. While this teller-automation technology has been available for years, the typical teller is too busy handling transactions to really converse with the customer

Gold Credit Report Package from Equifax

If you are looking for ideas on how to create a steady stream of fee income from your online presence, look at how the credit report marketers have continued to command premium prices even as the government mandates annual free credit report access.

We like Equifax ‘s approach. A laundry-list of features and benefits divided into a GOLD and SILVER offering. Gold, at $100 per year provides little more than Silver at $50 per year, but with a 30-day free trial, why not give it a try. Cleverly, the cheaper Silver plan does NOT have a free trial period. Many consumers will check out the Gold and never remember or bother to switch back to Silver.

By the way, we first heard about this offering through a banner ad on eBay in June.

Easy Anti-Phishing Defense for Banks

antiphishing_chart

With phishing reaching epidemic proportions (see chart), you need to look for ways to reinforce the authenticity of your website. Few banks have adopted one of the simplest trust building tools: greeting customers by name. This is simple to do through site registration and cookies. Online retailers have been doing this for years, it's time banks jumped on the bandwagon. Once registered, when accessing your website, either through an email link or via direct surfing, users will know they've come to the right place.

For more information on anti-phishing defenses, read OBR 102, No Phishing: Enlisting users in your battle against fake emails

U.S. Bancorp’s Stingy Email Storage

Usually we discuss innovations, this is an exception. We’ll call this a non-innovation, non-ovation for short.

In a time where all the huge Web-based email providers, led by Google’s free 1 GB of storage, U.S. Bank decides to delete emails sitting in customer in-boxes (within their online banking platform) after just 30 days. This includes estatement notifications.

Assuming the average customer gets one message per month, and each message is 2k in length, that saves about 20k in storage costs per customer, compared to keeping the messages for one year. Assuming the marginal cost for disk space is $10 per GB, that policy change will save an awesome 2 one-hundredths of a cent per customer per year, or $200 per 1 million customers.

Extensive online archive space is one of the biggest benefits of banking online. Don’t be pinch pennies on one of the lowest-cost aspects of your online Usually we discuss innovations, this is an exception. We’ll call this a non-innovation, nonovation for short.

In a time where all the huge Web-based email providers, led by Google’s free 1 GB of storage, U.S. Bank decides to delete emails sitting in customer in-boxes (within their online banking platform) after just 30 days. This includes estatement notifications.

Assuming the average customer gets one message per month, and each message is 2k in length, that saves about 20k in storage costs per customer. Assuming the marginal cost for disk space is $10 per GB, that policy change will save an awesome 2 one-hundredths of a cent per customer per year, or $2,000 per 1 million customers.

Extensive online archive space is one of the biggest benefits of banking online. Don’t be pinch pennies on one of the lowest-cost aspects of your online presence.

JB

——————————————————–
The full text of the message is repeated below:
——————————————————–

Date: 09/14/04
To: Jim Bruene
From: U.S. Bank

Subject: Messages now refreshed after 30 days

In an effort to populate the message center with current information, all messages, including ones related to online statements, will be deleted after 30 days. However, online statements will continue to be available for up to 90 days and can be accessed in the Recent Statement area at the top and bottom of each account Transaction History page. Online statement customers will continue to receive a message in the Message Center when a new statement is available.

——————————————————–
If you’d like to learn more about the future of online bank messaging, check out the Online Banking & Bill Pay Forecast: Current, future and historical usage: 1994 to 2016 from our sister publication, The Online Banking Report.

ComputerWorld Op-Ed on Phishing

Phishy e-mails and Web sites: What’s your responsibility? – Computerworld

Larry Ponemon, founder of the Ponemon Institutute, and new IT ethics columnist for ComputerWorld, writes about phishing this week.

His accout is unusual in the detail. His company surveyed 411 customers of a major retail bank that claimed to have clicked on a phishing email in May 2004 and who contacted the bank’s customer service department seeking help. Of the sample, 65 (16%) provided account details in the scam. Of those, 5 (8% of 65) reported account losses totally $50,000. Doing the math, that means a little more than 1% of those clicking on the fake email lost money, averaging $10,000 per loss, or $120 per customer who clicked. Pretty good money for the crooks if you don’t get caught.

More interesting is that 310 (75%) felt that the bank’s service reps were unprepared to deal with the problem. Nearly 60% of the total sample, a whopping 243 customers, said they would close their accounts at the bank. Even if just a quarter followed through, that’s 61 lost customers (15% of 411). Assuming each customer represents a NPV of $1000 to the bank, that’s another $60,000 in losses, bringing the total to more than $100,000.

Dr. Ponemon closes with five ideas for fixing the problem.

If you have been trying to convince senior managment to approve funding of additional security measures, by all means forward this article to them.

GeoTrust’s TrustWatch Toolbar


There’s a reason why everyone and their uncle are offering toolbar’s that
plug-in to Internet Explorer. They are a convenience to customers and a
tremendous branding opportunity. The latest entrant from GeoTrust’s TrustWwatch
unit: a privacy toolbar. It’s similar to Ebay’s Account Guard function with a
green light for “verified” websites, yellow for “not verified,” and red for
“warning,” websites on their black list. If you are working on a bank-branded
toolbar (see OBR 85), consider licensing this functionality from GeoTrust  http://www.trustwatch.com/
 Also, if you haven’t already done so, make sure your website is verified by
submitting it to one of the trusted third party certification authorities such
as Entrust, Betrusted, or GeoTrust.

 

Electronic Messaging Opportunities and How to use for Cost-Reduction Benefits

Electronic messaging is wide-open for innovation. The content, delivery, and
style of your electronic messaging provide numerous points of differentiation,
and the business case is positive with potential retention, cross-sale, and
cost-reduction benefits (see OBR 91/92 for a complete analysis).





Source: Online Banking Report, 9/04