Considerations for Banks Thinking About Migrating to a Dot-Bank Domain Name
by Kenneth J. Benton, Senior Consumer Regulations Specialist, Federal Reserve Bank of Philadelphia
As consumers and businesses increasingly conduct their financial transactions online, banks are paying more attention to their domain names, which are the portals to their browser-based banking platforms. When choosing a domain name, bankers should consider selecting a name that will enhance the security of the bank’s website, appear in top search results, extend the bank’s brand, avoid trademark infringement, and be easy for customers to key in and remember.
While banks have large latitude in selecting the portion of their domain name to the left of the dot, called the subdomain, their options have been limited until recently in selecting the domain extension at the end of their web address, or to the right of the dot, known as the top-level domain (TLD) (e.g., .com, .gov). As of 2012, only 21 TLDs were available, and some of these were available only to qualifying applicants (e.g., .edu is limited to U.S.-affiliated institutions of higher education). As a result, most banks have been using the dot-com TLD, which indicates a commercial organization.
In 2008, the Internet Corporation for Assigned Names and Numbers (ICANN), the governing body for Internet domain names, announced it was expanding the universe of TLDs by allowing applicants to self-select a new TLD.1 In response to the change, fTLD Registry Services, LLC (fTLD), a financial services industry consortium, applied for a new TLD exclusively for banks and savings associations and related organizations such as banking trade groups. The new TLD, dot-bank, was approved by ICANN on September 25, 2014.2 Effective May 2015, the dot-bank TLD became available to qualifying applicants that pass a screening process. Thus, a qualifying bank currently using the domain name www.bankname.com could migrate to www.bankname.bank. As of March 2017, more than 2,400 banks and savings associations in the United States registered nearly 4,900 dot-bank domain names, and more than 300 of these domain names are actively being used.3 This article discusses some of the factors a community bank may want to consider when deciding whether to migrate to a dot-bank TLD.
Security is perhaps the most important factor a community bank will consider when deciding whether to adopt a dot-bank TLD name.4 As online security breaches continue to make headlines, concerns about website security are weighing heavily on banks and their customers. Customers want peace of mind that they can conduct financial transactions safely on a bank’s website, while banks want to prevent financial losses and damage to their reputations as a result of fraud. Because no single magic bullet exists to protect against all threats, website security typically uses a multilayered approach. If one defense fails, other defense mechanisms can still detect and prevent an attack.
The dot-bank TLD uses the following enhanced security requirements:
- Eligibility is limited to:
- banks and savings associations around the world that are chartered and supervised by a state or national government regulatory agency;
- associations (such as trade groups) whose members are primarily composed of banks and savings associations;
- service providers principally owned or supported by regulated entities; and
- government regulators of chartered and supervised banks and savings associations and organizations whose members are primarily composed of such government regulators.5
- The software security company Symantec reviews all fTLD’s applications worldwide and verifies an institution’s eligibility, including a security check.
- Registrations must be re-verified by Symantec every two years to confirm an institution’s continuing eligibility.
- Banks and savings associations must use domain name system security extensions, which verify that Internet users are reaching the web page of the institution and have not been taken to a fraudulent site.
- The dot-bank TLD must be hosted on dot-bank name servers to protect against manipulation of the domain name server, which has been used in the past to facilitate fraud.
- Banks and savings associations must employ e-mail authentication, a technology process used to protect against phishing and spoofing e-mails. Criminals frequently use forged e-mails to obtain information that can facilitate crimes. E-mail authentication technologies (e.g., DomainKeys Identified Mail, Sender ID, and Sender Policy Framework) verify the identity of the sender of an e-mail and can block e-mails that cannot be authenticated or notify the recipient that the identity of the sender could not be verified.
- Only Internet registrars (the companies that register an organization’s domain name) approved by fTLD can conduct dot-bank registrations. The current list of approved dot-bank registrars is available at www.register.bank/registrars.
- Additional security requirements include, but are not limited to, using multifactor authentication for attempted changes to a bank’s registration information, prohibiting registration through a third party (which hides information about the registrant), and implementing the encryption standards of the National Institute of Standards and Technology Special Publication 800-57.6
Collectively, these and other dot-bank security requirements help mitigate the risk of fraud. For example, bank customers may receive phishing e-mails that contain malicious links to a spoofed website that appears to be a bank’s website. If customers provide their log-in credentials on the spoofed website, criminals can capture the information, which allows them to initiate an account takeover. The malicious link will have a domain address very similar to the bank’s actual website address to deceive the customer. For example, if a bank’s web address were www.bankname.com, the phishing link might contain a slight variation of the bank’s web address, such as a hyphen (www.bank-name.com).
Because eligibility for the dot-bank TLD is limited to the entities discussed previously, and only after they have been vetted by Symantec and approved by fTLD, it should be much more difficult for a criminal to establish a spoofed bank website with a dot-bank extension. The hope is that as customers begin to associate the dot-bank extension with a bank’s website they will become skeptical of any website claiming to be the bank’s website but lacking the dot-bank extension. Moreover, because of the e-mail authentication requirement, if a criminal attempts to send out a spoofing e-mail that appears to be from a bank, participating Internet service providers (ISPs) will recognize the discrepancy between the Internet protocol (IP) address of the sender of the phishing e-mail and the IP address of the bank on file. The ISP could then take steps to prevent the e-mail from being delivered.
Finally, because website security is an important concern for customers, banks adopting the dot-bank extension could use this as a selling point in their marketing materials to distinguish themselves from competitors that have not yet adopted the dot-bank TLD.
Available Subdomain Names
fTLD’s subdomain name allocation policy prohibits the use of certain common banking names and generic names, such as “community,” “national,” “premier,” and “first security.” A complete list of unavailable fTLD names is available at www.register.bank/reserved-names-list.
Institutions that switch to the dot-bank TLD have the opportunity to change their subdomain name. The dot-bank TLD greatly expands the universe of available domain names because names that might not have been available for a dot-com TLD could be available for a dot-bank TLD. If, for example, a bank’s current web address is hard for customers to remember or is too similar to the web address of a competitor, the bank can change its subdomain name when it migrates to the dot-bank TLD.
The fee to register for a dot-bank TLD varies among the short list of approved dot-bank registrars, but the average cost ranges between $1,000 and $2,000. Further, the enhanced security requirements for the dot-bank TLD will increase the operating costs for banks that are using that extension. Banks will also incur transitional costs, such as the cost to change the bank’s URL wherever it appears (e.g., signage, documents, and marketing materials), the cost to notify and educate customers, and the cost to exhaustively test the new web address across all subdomains. Finally, banks will likely retain vendors in connection with the migration and operation of the dot-bank TLD. The time for completing the process on average takes approximately four to six months.
The availability of the dot-bank TLD has prompted some banks to consider migrating their Internet addresses to this TLD. As of March 2017, more than 40 percent of the banks and savings associations in the United States had completed registrations for the dot-bank TLD.
Banks should weigh the benefits (e.g., enhanced security and a broader choice of subdomain names) against the costs (e.g., fees for transitioning, testing, and maintaining the new domain name) before making any decision to migrate to the dot-bank TLD.
fTLD Registry Services, LLC
This website offers a wealth of resources ranging from information about eligibility requirements to guides to leveraging a dot-bank domain to PR tools.
This web page addresses the most frequently asked questions about eligibility, registration requirements, costs, the verification process, security requirements, and more.
- 1 See “Biggest Expansion in gTLDs Approved for Implementation,” ICANN, June 26, 2008, available at www.icann.org/news/announcement-4-2008-06-26-en.
- 2 See “.bank Registry Agreement,” ICANN, September 25, 2014, available at www.icann.org/resources/agreement/bank-2014-09-25-en.
- 3 Personal communication with Craig Schwartz, managing director, fTLD Registry Services, April 26, 2017.
- 4 Paul Shukovsky, “Banks Flock to New .bank Domains for Security, Branding,” Bloomberg BNA, August 16, 2016, available at www.bna.com/banks-flock-newbank-n73014446420.
- 5 The complete list of eligibility requirements is available at www.ftld.com/docs/fTLD-Registrant-Eligibility-Policy-BANK-20170421.pdf.
- 6 Elaine Barker, “Recommendation for Key Management, Part 1: General,” NIST Special Publication 800-57 Part 1, Revision 4, January 2016, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf.