The industry coalition in charge of the .bank domain name extension has received more than 3,700 applications for the .com alternative from financial institutions worldwide, the vast majority this week.
fTLD Registry Services made the .bank suffix widely available on June 23 (it had been open to a select group of institutions since May). It is one of hundreds of generic top-level domains, or gTLDs, that had been put up for sale by the Internet Corporation for Assigned Names and Numbers.
Applying early for the .bank extension increases the odds of getting a preferred address in an industry where "First National" is as common a name as "John Smith." Over the longer term, the applicants hope the restricted top-level domain does for their websites what the FDIC sticker in the window did for their branches signify trustworthiness and security to consumers.
There's less risk of an imposter doppelganger than on .com sites because the .bank applications are vetted by industry members. fTLD was formed by the American Bankers Association, the Financial Services Roundtable and other industry members to take control of .bank. Among the added security requirements they require as gatekeeper include repeated verifications of charters and licenses and email authentication to mitigate spoofing and phishing. Advocates hope there will come a day when the public recognizes .bank as a signal that a URL belongs to a verified member of the banking industry.
Realizing this vision will require a culture change, however. Consumers, who are so used to typing in .com or searching for what they want on Google, might not think to look for the .bank extension for some time, if they ever do. And nothing is 100% spoof-proof.
"Criminals will find ways to capitalize on the change and find the holes we haven't even thought of yet," said Julie Conroy, research for Aite Group's retail banking group. Still, the flurry of interest in .bank "is positive news over the long haul," she said.
Advocates of .bank domain realize it's a long-haul initiative.
"This is a marathon," said Doug Johnson, the ABA's senior vice president of payments and cybersecurity policy. "It clearly isn't a sprint."
Nevertheless, Johnson said some banks are eager to implement their new bank domain names because of the expected security benefits. Not only are industry members serving as its gatekeeper, but the .bank extension is seen as a way to send authenticated emails so receivers have a higher degree of confidence they are receiving legitimate messages, he said.
Mercantile Bank of Michigan (not to be confused with the Mercantile Bank in Quincy, Ill., or the one in Louisiana, Mo.) is among the banks that have already applied for .bank domains.
The Michigan Mercantile did not want to wait to apply, said John Schulte, its chief information officer. The $2.9 billion-asset Grand Rapids institution wanted to make sure it could obtain the domains it wanted, even if that means it now has to do some work, he said.
"The idea of a more tightly controlled domain structure with additional security controls to help us combat phishing and other threats is very appealing, and I think that any way we can increase trust with our customers in accessing and using bank sites/services is a worthwhile pursuit," Schulte said by email. "It will be important to emphasize the additional security as the reason for the change when we ultimately communicate this to customers, and it will be more effective and less confusing if they see the banking industry as a whole adopting this change."
Rising Phishing Threats
"We believe the trend will increase," said Dave Jevans, founder and chief technology officer of Marble Security and chairman of the working group.
A domain vetted by banking insiders is not expected to be the scene of malicious registrations, Jevans said. The vetting process is "far superior" to most top level domains and the price is dear roughly $1,000 annually depending on which of the 21 fTLD-approved registrars used.
But Jevans said he doesn't expect .bank to be a silver bullet for the overall phishing problem: criminals can still register other domains that resemble legitimate companies' addresses.
"The majority of phishing is where people aren't reading the full domain," Jevans said.
Down the road, he said, the .bank extensions could be used as a tool for institutions to strengthen email communication with one another, with their regulators and potentially for transaction-related emails to consumers.
Still, banks would continue to face the larger problem with email marketing to customers: do they even care to open the bank-branded documents popping up in their inboxes?
"Banks have an opportunity to do better email marketing," said Nicole Sturgill, a principal executive advisor at CEB Towergroup. "But it's not about .com or .bank or where it's coming from. It's about how targeted and relevant it is to your life."