OBR Special Report on New Safe Banking Initiative

www.safe2bank.com

Fed by media reports, often wrongly implicating online banking in fraud
problems the public is becoming exasperated with the growing assault on
their computing. Spyware, adware, spam, viruses, worms and phishing are
enough to drive consumers back to that comfortable spot on the couch where
all they have to worry about is what show’s on next.*

04-dec-c01.jpg

At Online Banking Report, we’ve watched the growing backlash with great
concern. Although we’ve written about it, we want to do more. We’ve been
telling reporters for years that overall online banking is safer than
the paper processes it replaces. To get that message out to a broader
cross-section of consumers, we are launching the Safe Banking Initiative
(SBI) to foster education and awareness of safe online banking practices
within the industry and to educate the marketplace, especially the media, as
to the real risks of various banking and payment options, both online and
off. Its business model will be similar to the Underwriter’s Lab in
the electrical appliance field. The SBI website (under construction) will
contain educational information along with a database of certified banks.

Safe2Bank Online (S2BO) Certification

One of the first efforts will be the deployment of the Safe2Bank
Online Certification
program that will allow regulated financial
institutions to apply for a safe banking logo that can be displayed on their
websites. The idea is help consumers know when they are visiting a financial
institution that adheres to the Safe2Bank guidelines. We plan to make
the scorecard criteria open to the public via the Safe2Bank website, but the
weightings, actual scores, and score cutoffs will remain confidential
(although participating financial institutions will receive a full copy of
their weighted scorecard and comments).

 

The guidelines are still in development, and we are looking for your
input. The first draft is listed on pages six and seven. To become
certified, financial institutions must achieve a yet-to-be-determined
minimum score across the 80 items. Financial institution will not have to
pass all 80 guidelines to become certified, although there may be certain
required items such as a visible privacy policy, secure password-reset
procedures, and so on. Certified financial institutions will have their
names, Web addresses, and contact info listed on the Safe2Bank website. They
also have the option of licensing the mark to display on their own websites
and marketing material  .

To become certified, financial institutions must answer a questionnaire
on their online banking features and processes (all questions related to
publicly available material). Answers will be verified by an SBI employee
and scored using the criteria in Table 2 . Each factor will be weighted, and
partial credit will be available on certain guidelines. The resulting score
and comments from the evaluator will be shared with the participating
financial institution. The audit deals only with publicly visible features
and processes: it is NOT a back office or network security audit like the
SAS 70 or other regulatory reviews.

 

 

 

 

 

*As we were going to press, another story ran on The NBC Nightly News
about $90,000 lost by a small business apparently aided with information
obtained from a personal computer (reference:

msnbc.msn.com/id/6713753
).


 

 

Table 1

Safe Banking Initiative Timetable

Dec 2004 Industry announcement
Q1 2005 Online scorecard criteria
finalized
  Certification applications
accepted
Q2 2005 Safe Banking Online audits
begin
  First financial
institutions certified
  Safe2Bank Online public
awareness campaign launched
Q4 2005 Safe2Bank Online scorecard
revised

Source: Online Banking Report, 12/14/04

Timing & Cost 

Financial institutions are encouraged to apply now for certification. The
first wave of certified financial institutions will be announced at the
launch of the consumer education campaign, currently slated for second
quarter 2005. Financial institutions will be certified in the order of
application, so the earlier you return the reservation form, the sooner
you’ll be eligible. The cost for the certification audit is $500 payable
with your reservation form (see enclosed). The fee is not refundable,
but those not passing may reapply within 12 months for half price.

Licensing the Safe2Bank logo

Financial institutions passing the S2BO audit will have the option of
licensing our Safe2Bank Online logo for inclusion on their websites
and marketing materials. Licensing cost will be no more than $1000 annually
during the launch period. Final pricing will be announced in first quarter
2004.

Consumer Awareness Campaign

As the certification process unfolds, we will initiate a far-reaching,
consumer-awareness campaign. Part of that effort will be to help each
certified bank make a splash in their home market. SBI will assist in
issuing a joint press release and will participate in other media events as
well. Online promotional efforts will also be used to raise awareness of the
Safe2Bank designation.

Reservation Form

We have enclosed a signup form with this newsletter. Receive one via
email by sending a request to
anita@onlinebankingreport.com

  

Organizational Structure

The SBI is a wholly owned division of Financial Innovations, publishers
of Online Banking Report since 1995. The managing director is Kate Schultz
who brings to SBI a long track record of organizational leadership in the
nonprofit sector along with 10 years of contributions to Online Banking
Report. All guidelines will be reviewed by an industry advisory board
(below) before being finalized.

SBI Advisory Board

We consider every OBR subscriber to be an unofficial SBI advisor. So
please provide your input on the S2BO scorecard and any other aspect of the
initiative. We are also assembling a more formal advisory panel from the
industry to review the criteria and submit comments. If you would like to be
on the official panel, please email
kate@netbanker.com
. The position is voluntary and unpaid with a
relatively small time commitment**
(no meetings!). Membership is limited with preference to financial
institution employees.

Confidentiality

Although all the information obtained in the audit will be publicly
available, we understand the sensitivity of the industry to the threat of
hacking and leaks. Therefore, all audit results will be kept in
password-protected files on computers not connected to the Internet.

*Financial institutions are encouraged to obtain an opinion from their
compliance and legal staff on the ramifications and implied liabilities,
if any, of using the Safe2Bank logo.
**The time commitment should be no more than a few hours each quarter.


 

Safe2Bank Online Scorecard Beta Version 1.0

Table 2

Safe2Bank Online Scorecard

Source: Online Banking Report, 12/04

References: Security and Privacy Report, OBR 93/94

 

Introducing The Safe Banking Initiative

Financial institutions must adopt new safeguards in 2005

04-dec-a01.jpg

We interrupt the regularly scheduled newsletter for an important bulletin: The industry1 MUST adopt stricter online authentication and monitoring tools or risk a damaging backlash against online banking and payments. To help spur innovation on the security front, we are launching a new effort called the Safe Banking Initiative, or SBI for short. We hope to create an Underwriters Lab (UL) type seal of approval for financial institutions to display on the websites and other marketing material.

BAI Retail Delivery 2004

On the way home from BAI’s Retail Delivery, I always try to reflect on the “themes” from this influential industry conference. This year it was all about integration: interbank (A2A) transfers integrated with bill payment; ATMs integrated with check processing; branches integrated with online banking; everything integrated with industrial strength CRM systems. 

My biggest aha! occurred at an unlikely spot. Normally, I skip the hardware displays with their legions of enthusiastic ATM salespeople, and head straight for the booths in the back where I always learn something from the online pioneers. This year my most memorable conversations were with Hill Ferguson, Melanie Flanigan, and the whole crew from Yodlee on the bus back to our hotel; Neil Platt and Sanjeev Dheer from CashEdge on the trade-show floor as they landed a major new bank account; and as always, catching up with long-time industry visionary Matt Lawlor from Online Resources.

But this year, thanks to an effective pitch from its Williams Mills rep, Jamie Stephenson, I found myself chatting with Miles Busby, founder of Source Technologies www.sourcetech.com  about his vision of the future branch. Think airport check-in, circa 2004, where rows of touch-screen kiosks greet flyers, run them through the check-in process, and spit out boarding passes. One or two attendants assist with checked baggage and answer questions posed by perplexed travelers using self-service for the first time2.

 

1We’re referring specifically to U.S. banks; many major banks outside the U.S. have already added rigorous and highly effective authentication processes; one major bank familiar to us has only lost a few thousands dollars year-to-date. 

2Alaska Airlines, the first airline to offer kiosk check-in, then later Web-based check-in, is considering eliminating the ticket counter altogether, a concept it is testing in Anchorage.

A Real Automated Teller Machine

Fast-forward to the bank branch of 2007.  Customers walk in the door and head directly to teller row, no lines. After swiping an ATM card and entering a PIN at terminals built into the counter, customers feed paper checks directly into the deposit slot. Instantly an image of the check appears on screen along with the amount of the deposit. After confirming, the total is added to the customer’s balance, the original paper s check returned as a receipt, and any cash-back is dispensed from the machine. Finally, the human teller asks, “Did you get that double billing on your credit card resolved
Mr. Poddenstopper?”*

The machines can also handle other routine transactions: loan payments and other bills could be paid by feeding billing statements into the machine, then selecting the account to debit; funds could be transferred within the bank or to accounts outside the bank; money orders, cashiers checks, and prepaid cards could be created right from the machine. Machines could be even be equipped to handle merchants, accepting and dispensing cash and coin, payroll checks, and prepaid employee cash cards.

The beauty of all this, not counting the labor savings, which Busby said could pay for the equipment within a year, is that it all ties in nicely with online banking. Upon return to their home or office, branch self-service users will be greeted with an email summarizing the transactions with links to online banking to view images of any paper checks or statements scanned in the branch, and to take any action related to the in-branch transaction. It’s similar to the way the airline check-in process is spurring travelers to go online and check-in prior to the trip to the airport.

Paperless Banking

Another chord struck at Retail Delivery was the growing threat to consumer confidence in online banking, and by extension banking in general, due to the proliferation of spyware, worms, Trojans, fake messages, as well as the mixed messages from financial providers, the media, and government regulators. Jim Van Dyke, whose Javelin Strategy www.javstrat.com  consultancy is doing pioneering work in this area, presented not one but two sessions on paperless banking. He looked at 44 criteria at 39 leading banks, determining that BofA, Wells Fargo, E*Trade, and Zions had the best total safety rating .

That’s great information on those 40 banks, but what about the other 20,000 U.S. financial institutions? How do consumers determine if they are dealing with a “best practices” bank or credit union? Not to beat our own drum too loudly, but we hope our Safe2Bank certification will go a long way in educating, and, more importantly, reassuring consumers and the media about real fraud threats, both on and offline.                                                                                       

 

Jim Bruene, Editor & Founder,

 jim@netbanker.com

*As soon as Mr. P swiped his card, his name, account history, and recent service issues instantly appeared on a screen visible only to the human teller. The customer record could also be enhanced with family names, pronunciations, and even the occasional cross-sell prompt. While this teller-automation technology has been available for years, the typical teller is too busy handling transactions to really converse with the customer