A Big Target, Bank of America, Also A Big Example Online

Register now

Where Bank of America goes, banks in America (along with credit unions) often follow.

That may be most evident in online banking and bill pay. BofA has more than 15-million active online users, and six million of those use its bill pay service. In fact, the bank reports that during 2004 half of all bills paid online are done through BofA.

So it should come as little surprise that when one bank executive talked about BofA's online initiatives, many turned out at BAI's Retail Delivery Show to hear what Kathie Claypool, senior VP-e-commerce, had to say about where BofA is headed with its online strategy.

Not surprisingly, its strategy has been to focus on security, both to manage risk to itself from its huge online pool of users, and to the users themselves.

"We are a big, big target, and we have been for more than two years," said Claypool, who was featured in a BofA commercial during the Super Bowl. "We were seeing then what many of you may just be starting to see, so we have been on a path to decide what we were going to do."

BofA's Solution: SiteKey

What BofA has chosen to do is to roll out its next wave of online fraud protection, authentication and security that it calls SiteKey. At its core are a series of safeguards aimed at reassuring the bank that the customer is who he claims to be and, just as importantly as phishing scams proliferate, that the bank is who it claims to be in communications with customers.

Claypool said BofA has strived to constantly view the online experience from the customer perspective, which isn't easy for a bank of its size. Most banks traditional views of security have come from the inside out, she noted, observing that the compliance department would focus on regulatory requirements, the cost/benefit of fraud mitigation, etc. None of those viewpoints represent the end-using customer.

"There is a growing sense of nervousness out there, and if we don't deal with it volume is going to erode," she said. Concerned over fraudulent communications, Claypool added that "people are not even opening e-mails, meaning they don't want to read your marketing messages or even open your e-Alerts, which would help them to feel safer."

Claypool cited research from Gartner Group that found that due to declining confidence among consumers in online banking, 28% of online users said they are cutting back, and more than 4% had abandoned online banking altogether. Jupiter Research found that one-third of consumers who do not bank online cited fraud as the reason, a three-fold increase over 2002.

"We have conducted more focus groups on this topic than I have ever conducted because we knew we had to understand the mindset of the consumer," Claypool said. "They want to be safe and feel safe, but the secret is that it isn't their problem. They aren't going to take ownership of the problem. They will look at you and say 'I expect you, my banker, to make me feel safe if you want me to deal with you. And don't inconvenience me. I will either leave you or stop using online banking if you make it difficult or require me to start carrying things around.'"

The latter is a reference to some of the proposed security tokens, such as key fobs.

Bank of America's strategic approach has been to focus on three areas, including awareness and education, with its positioning aimed at putting reassurance in its simplest terms.

What Customers Want

"The zero-liability was No. 1 and way above all else (in customer research) was the guarantee that you'll give me my money back if anything happens," noted Claypool. "If you're not willing to put this in front of customers and let them know it's your policy, you're missing a major point."

BofA began its analysis of its SiteKey program during 2004, began rolling it out during the second quarter of 2004, with a complete rollout in 2006.

Claypool said BofA never pilots any product or service until it is complete from end-to-end. SiteKey is a two-factor authentication process that includes risk-based monitoring.

Customers pick an image from a library of images that appears every time they log onto the BofA site (a strategy being employed by some credit unions through PassMark); and also answer secret questions for future cases where the bank may be questioning their authenticity.

"We went to our customers and told them we had a new security feature, but we didn't want to send the message that it wasn't secure before," Claypool explained. "We positioned it as part of our continuing commitment to you."

Not wanting customers to ignore its message, BofA opted for what Claypool acknowledged was a non-banker graphic image, a muscular tough guy holding a little dog. It features a simple "How does this work" button on which users can click (the site can be found at www.bofa.com-see below).

Know You, Know Us

"We focused every bit as much on 'You'll know it's really us' as we did on 'We'll know it's really you,'" said Claypool. "We then walked them through a SiteKey enrollment (where they can pick an image) and answer three challenge questions, and they're done. When they sign in they will see their image and image title as long as we recognize the computer or geographic location they're coming from. They put in their user ID; they do not put in a password until we've identified them through the unique ID. They can have as many computers as they like; they can tell us to identify all of those computers."

BofA is using a combination of cookies and Flash-enabled objects to authenticate both user and provider. One computer can be used by several customers and each has its own unique ID.

"If the device ID or the http header indicates this isn't the original device, we will look at where it's coming in from," said Claypool. Is it coming from Pasadena? Or Taiwan. If we don't recognize the computer, we ask them a challenge question."

Claypool said Bank of America's investment in SiteKey has generated a return. Data has shown that customers, who say they feel safer with SiteKey, are doing more business with the bank.

"Customers cannot parrot back exactly how SiteKey works. Do they care? No," she said. "All they need to know is if you don't see your image, it's not us."

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER