There are a few ways to get to Pineville, KY, but the quickest route is to head south from Lexington on I-75 for two hours until you reach Corbin. From there you head east on U.S. 25E for 30 miles until you hit Pineville, nestled on the western edge of the Appalachians.

Charles Evans, manager of the head office at Security First Network Bank FSB in Pineville, hopes that a lot of people will come this way, particularly now that the highway has been widened to four lanes. He and other business leaders from this coal mining community figure the new road will attract vacationers from Cincinnati and the Ohio Valley looking to shave half an hour from their drive to resorts in the Carolinas.

If they're right, then perhaps there will be new life for Pineville's economy, which Evans says "still depends on coal mining-although that isn't what it used to be." Lately the timber industry has discovered the area, bringing in new money and offsetting somewhat the declining fortunes of coal. But Pineville is a town in search of a future, even if its grip on the present seems tenuous.

But a much more novel way of getting to Pineville--and the road that could really put this town on the map--is the Internet. If the Information Superhighway brings in the kind of traffic that Evans and others hope it will, then newly-widened U.S. 25E will look like a cow path by comparison.

In October 1995, Security First--a tiny thrift with a mere $40 million in assets---became the first financial institution in the country to adopt the Internet as its primary distribution channel. While its initial product is essentially limited to an electronic bill payment service, Security First will start taking credit card applications over the internet early next year, and it hopes to begin originating mortgages electronically shortly thereafter. It also plans to set up marketing agreements with discount brokers and other financial service providers to offer their services through its program.

"We want to be a full-service bank," says James "Chip" Mahan, chairman of Lexington, Ky-based Cardinal Bancshares Inc., and the real force behind this improbable venture. "We want to offer a mortgage product, a secondary mortgage product and a car loan."

Security First may be the first depository institution to attempt to do all its business on the Internet, but the ethereal world of cyberbanking is expanding at a blinding pace. A quick peek at an Internet directory in early November came up with 166 depository institutions around the world that have pages on the World Wide Web. What's more, the list grows almost daily as more banks add one service or another on the Internet. The same directory listed only 134 banks in mid-September.

For the most part, these institutions are using the Web for what one banker has dismissed as "glorified billboards." One of the few exceptions is Wells, Fargo & Co. Since early 1995, it has used the Internet to authorize credit card transactions for a small group of merchants. Later, Wells began allowing customers to fill out new account forms or apply for loans on their personal computers and then transmit that information via the Net.

Beyond Advertising

Now other banks, are joining the fray. Those that had restricted their Web pages to mere advertising are starting to open accounts on the Net, and full-scale transactions seem to be just around the comer. It's nearly impossible to assess Mahan's prospects, should cyberbanking take off the way he hopes. Perhaps he will achieve every entrepreneur's dream of riches and lasting fame. Perhaps Security First's lasting distinction will only be that it was first, only to be trampled in time by a herd of larger competitors. Maybe Security First is less important for what it is than what it represents: The dawn of a new era in banking.

Then again, all of this Internet mania could turn out to be a lot of rubbish. Before any bank mines big profits from the Internet, they have to come to terms with a variety of pressing issues. In the last three months, the greatest concern has been Internet security. Several well-publicized security flaws in Internet software have been noted, and their presence has made clear that there are no guarantees that transactions over the Internet are 100% safe. "We think the security issue is why you need to move very cautiously," says Catherine Graeber, senior vice president for BankAmerica Corp.'s interactive banking division. These concerns notwithstanding, BofA began accepting credit card and mortgage applications via the Internet in October.

Prior to that, if a BofA Internet customer wanted to open an account, they could click an icon on the Web page, print out an application form and fax it to the bank. But the San Francisco bank is comfortable enough with the latest improvements in security to allow customers to send their names, addresses, Social Security numbers and other personal information over the Net.

A second issue is that although there are already millions of households with personal computers and modems, this technology will have to become even more widespread and easier to use. "We don't know how much consumers will want to bank on line," says Dan Schutzer, a Citicorp vice president. There are 25 million people with access to the Internet, "but that's still only one-tenth of the population, and not all of them will want to use it for banking," he says. Schutzer is a board member for the Financial Services Technology Consortium, a trade group that is testing and promoting retail and commercial banking on the Internet.

Another unanswered question is the cost for and retailers of providing the necessary customer service. It's a given that as more bank on line, banks will have to improve their toll-free phone service. Either they'll have to add more staff, train the existing staff to handle complicated PC and Internet-related questions or set up specialty phone services for internet customers. Perhaps the cost savings from reducing branch networks will eventually exceed the increased expenses of providing customer service for cyberbankers--at least that's what Schutzer's instincts tell him--but no one is really sure.

The cost equation is further complicated by the unrelenting demands of shareholders for performance. Bank chief executives are expected to produce improved results this quarter, not next year. Thus even those banks that truly believe in the Internet's potential are hesitant to throw huge sums of money at it, says Charlotte Wingfield, a partner in KPMG Peat Marwick's Los Angeles office.

That's one reason the FSTC, having already demonstrated that electronic checks can be sent via the Internet, is now forming a business council that includes retailers, says David Kurrasch, a Wells Fargo senior vice president who also chairs the council.

Internet banking for the mass market may not come about easily or quickly, but there's clearly plenty of interest in testing its potential. And it seems inevitable that bankers and other commercial adventurers will keep poking and prodding until they hit upon the right equation.

Mahan is convinced that Security First is ahead of the pack in arriving at this formula, although he knows that there's plenty of competition out there. While his may be the first Internet bank, it was the FSTC that earned the distinction of sending the first check via the Net last September.

None of the dozen or so banks in the FSTC have yet to set up permanent Internet programs in the manner of Security First for the purpose of full-service banking. So, although the big boys were the first ones to pay a check via the Internet, lil' ole Security First, in lil' ole Pineville, is doing business in Cyberspace every day.

An Entrepreneur's Story

All of this would have been unthinkable three years ago when Security First was acquired by Cardinal. Mahan spent almost 15 years in banking, including a 10-year stint at Wachovia Corp., before starting Cardinal from scratch eight years ago after the bank he was then running was gobbled up by Banc One Corp. Determined to be his own boss from then on, Mahan formed Cardinal "to buy community banks in the middle of Kentucky that had high market shares and low overhead." Next he started a private banking operation in Lexington. "The country banks basically fund the asset growth of the private bank in Lexington," Mahan says.

In its relatively short life, Cardinal has started two commercial banks de novo, bought two others and acquired two thrifts, one of which was transformed into the Internet bank. Cardinal has since grown into a modest-sized operation with $642 million in assets.

Cardinal also has launched a number of business ventures, such as a small business lending subsidiary and a consumer finance company. Almost all of these businesses are in based eastern Kentucky. Security First is, in some ways, just Mahan's most recent banking venture. He professes to be "excited about all phases of our business," and not just the Internet.

But how could a small-town thrift that no one outside of southeast Kentucky had ever heard of became the first bank on the Internet? Prior to this May, Security First was known as First Federal Savings, a $75-million-asset institution with five branches in Pineville and several neighboring towns. Cardinal bought First Federal and another Kentucky thrift, Mutual Federal Savings of Somerset, in 1993. As part of the rechartering of First Federal into Security First, four of its branches and about half its assets were transferred to Mutual Federal. Now, with but one office in the extreme southeast comer of Kentucky, the thrift is the most remote of Cardinal's operations. The region is also one that Cardinal's 1994 annual report says has had a higher unemployment rate than the rest of the state for most of the past 10 years and has been losing population.

Essentially, chartering the Internet bank through First Federal was a convenient way to get something out of an operation that had few prospects for growth. Mahan expects to spin off this subsidiary as a separate public company as of Jan. 1, 1996. At that time, Cardinal's shareholders will own 50% of the new company and will get one share of Security First for each share of Cardinal they own.

That pending transaction has lifted Cardinal's stock, which languished between $27 and $32 through most of 1994 and into the early part of this year. But the stock price rose sharply in mid-September as the launch of the Internet bank drew closer. By November, the share price was up to $57.

Virtually all the excitement over Cardinal's stock has stemmed from investors betting on the banking company's Internet strategy, according to Alan Morel, an analyst at the brokerage firm of J.J.B. Hilliard, W.L. Lyons, in Lexington.

Granted, many bank stocks have done well this year, But most issues rose on takeover speculation. For the stock of a mid-sized Lexington, KY, banking company to make such a jump in such a short time--especially when its earnings are lagging the rest of the industry--is extraordinary.

From 1991 through 1993, the company had an average return on assets of 60 to 70 basis points and about a 10.5% return on equity. Those results worsened in 1994, when Cardinal lost $538,000, which was well off its 1993 profit of $3.5 million. Cardinal returned to profitability this year, although just barely. Through the first six months of 1995, Cardinal earned an 11-basis point return on assets and a 3.8% return on equity. The company's third-quarter earnings had not been reported by press time.

The losses had a lot to do with the heavy expenses the company has had in the past two years. Cardinal spent $3.5 million last year on its consumer finance subsidiary, and another $500,000 on a new data processing system unrelated to the internet. Also, according to the 1994 annual report, Cardinal spent $120,000 on its Internet program with Security First last year, and it expected to spend another $400,000 by the time the project went live.

Investing in Growth

Mahan says the company is investing in its future growth and forgoing profits now. The flurry of new business activity left Cardinal strapped for cash. So when it set up Security First, the company sought other investors. A total of $5 million to add to the re-charted thrift's capital was put up by Wachovia, Huntington Bancshares Inc. and Area Bancshares Corp. of Owensboro, KY. The three companies will hold a combined stake of just under 15% in the Internet bank after it is spun off. Huntington intends to launch its own Internet project next year, using the same software at the heart of the Security First venture. Area's chairman and largest shareholder, Carol Gatton, is a Cardinal director as well.

After he left Wachovia, Mahan said he kept in touch with several executives at the Winston-Salem, NC, banking company, including current CEO Bud Baker. For the past five years, a seat on Cardinal's board has been held by Howard Runnion, who retired as Wachovia's chief financial officer in 1990. Wachovia, according to an executive there, invested in Security First as a risk-free means of learning about the internet ("Rolling Out the Carpet for Bill and Scott," October 1995).

Runnion, who still maintains an office at Wachovia, says that Cardinal is on the right track with its banking in cyberspace venture, but he says he was not involved in his former employer's decision to invest in the Internet bank.

"There is a lot of interest in the banking industry in this product," Runnion said in a phone interview. Conceivably, a product like the one Security First is using would allow small banks to compete on a level playing field with big banks. On the Internet, it doesn't matter if a bank has 1 branch or 1,000; $10 million in assets or $10 billion. All web pages are created equal--in theory.

In anticipation of cashing in on that apparent egalitarianism, Security First will sell its software to other institutions. Large banks and thrifts

can buy it outright and run it themselves at their own data centers. For smaller banks, Five Paces Software Inc., a software firm affiliated with Security First, will run the software and manage the Internet connection at its Atlanta headquarters.

The Software Connection

The rise in Cardinal's stock stemmed not so much from the novelty of Security First's Internet strategy, but primarily the relationship Security First will have with Five Paces, which is run by Mahan's brother-in-law, Michael McChesney. In the process of being spun off from Cardinal, Security First intends to acquire Five Paces. The managers of Five Paces, who own most of the privately held firm's stock, will receive about 200% of the shares of Security First in return.

The thrift and the software company will have a connection comparable to that between Marshall & Ilsley Corp. of Milwaukee and its M&I Data Services data processing subsidiary. M&I Data runs the computer systems for all the subsidiary banks of Marshall and Ilsley, and it also sells its software and services to other banks around the country. Large banks tend to run M&I's software products themselves, while smaller institutions use the company's service bureau.

In the case of Security First, the computer that links it to the Internet, also called the "Web Server," is run by Five Paces, which will also sell its software to any bank that wishes to purchase it.

"From Soup to Nuts"

Our whole strategy is to provide banks with a turnkey solution from soup to nuts," says Cardinal's director of marketing, Charles Ogilvie, who was among the first people Mahan hired once he decided to go forward with the Internet project. Prior to joining Cardinal Ogilvie spent 10 years at National Commerce Bancshares in Memphis, where he helped set up branches in supermarkets for NCB and any other bank that wanted to pay for NCB's consulting services. Supermarkets became an inexpensive way for NCB to extend its branch network, and the related consulting business brought in some fee income for the holding company. Mahan hired him at Cardinal in 1994 to map out a similar strategy for Internet banking.

The difference is that M&I is, by itself, a very profitable banking company. The data processing unit just gives its shareholders a little extra for their money. in a sharp contrast, the potential for Five Paces' software business seems much greater than Security First's banking operations. The thrift is essentially a test case and a customer demonstration site to show Internet banking in action for prospective customers of Five Paces.

McChesney and Mahan hesitate to put it exactly this way, but they are quite open about expecting to sell large amounts of their software to other banks. if their business grows according to plan, in two or three years the Five Paces tail will easily be wagging the Security First dog.

"It's a perfect hedge," Mahan says. "Either we're going to get a swath of the early adopters [of internet technology], or every other bank with an Internet program is going to buy our software."

It seems, though, that they are putting most of their money on the potential market with other banks. The Internet does level the playing field between big banks and little banks, but the flip side of that coin is that every bank on the Internet winds up being just one more blade of grass in a great expanse of financial services sod. Customers must know in advance they want to click their mouse on your Web page. But no one knows how much will have to be spent on advertising to get them to do that. More importantly, no one is certain just how consumer advertising will work on the Net. if there isn't any Internet advertising, then banks will simply have to wait for on-line addicts to stumble upon their electronic addresses.

Security First did take out large display ads in The Wall Street Journal and American Banker to coincide with the formal launch of the Internet bank, and it plans to advertise in some computer magazines such as Wired in November and December, says Ogilvie. This year, the thrift is just interested in catching the so-called "early adopters," the people who are the first to buy any computer product the instant it hits the market. In 1996, the advertising plan will be expanded to more general publications like Business Week.

Because the most lucrative customer base for Mahan and his team is other banks and financial service firms, they have clearly identified their competition--and it's not Citicorp, Merrill Lynch & Co. or Fidelity investments. The bogeymen they fear most are Microsoft Corp. chairman Bill Gates and Scott Cook, chairman of Intuit Inc. and publisher of Quicken, the top-selling financial software for home computers.

For the Five Paces strategy to succeed, Mahan and McChesney must convince prospective customers that it's in their interest to buy a software package from a fellow bank traveler rather than a software vendor like Microsoft or Intuit.

Mahan and McChesney argue that non-bank providers of on-line services--whether they are software companies, regional Bells or cable TV suppliers--can position themselves between banks and their customers. The provider of the home banking service, whether it's the bank or a technology firm, can both determine which services a customer will see on her screen and what kind of fees she will pay for an affiliated discount brokerage, an affinity credit card or a mortgage application.

Keeping the Fees

Mahan and McChesney say that with their software, a bank can provide whatever services it wants without giving up any customer-generated fees. These banks may have to pay Five Paces or another processor to route their payments on the back end, but that's a different issue.

If a bank can be the customer's first point of contact, then it is likely to gamer a larger share of the online fee income. If the software company controls what the customer sees, then the bank will wind up with less.

"The spread is not where the money is," Mahan insists. His sales pitch for Security First--and Five Paces, too, for that matter--is that this approach gives the bank its best shot at controlling what the customer sees, and also collecting fees.

It's not an incidental issue, says Runnion. Banks used to provide many services, such as checking accounts, for free. "Once you did away with Reg. Q (in March, 1986), and took the limits off of what banks could pay for deposits, the free services had to go," he says. "This process has changed banking." Fee income became a necessity well before the cyberbanking phenomenon was hatched, but service-generated fees will only become more important as the on-line world takes off.

Regulatory Approval Needed

Security First still has other hurdles to clear before it reaches its destination. The Office of Thrift Supervision took about eight months to approve Cardinal's conversion of the former First Federal Savings to Security First. Mahan said the OTS needed to get comfortable with the prospects of banking on the Internet before it would approve the conversion.

Security First's president, Michael Karlin, said Cardinal sought to charter the internet bank as a thrift rather than a commercial bank because that would allow them to start sooner. "We felt that was the path of least resistance," Karlin explained before a New York press conference on the new thrift's first day of business on the Internet. "The thrift charter is free from the branching law and the national banking law." It will be another year before all the legal restrictions on interstate branching for commercial banks are lifted.

But before Security First profits from sales of Five Paces' software, the OTS must approve its acquisition of the software firm.

Federal banking law does permit thrifts to run data processing companies, says Richard Byer, a Washington attorney who chairs the American Bar Association's committee on savings institutions. While he doesn't have any first-hand knowledge of either Cardinal or Security First, Byer says regulators may be leery about any exposure to the holding companies stemming from Five Paces' operations. In the wake of the Financial Institutions Reform, Recovery and Enforcement Act (FIRREA) of 1989, non-depository subsidiaries of bank and thrift holding companies must be separately capitalized. This is to limit the likelihood of the banking operations from being drugged down by any losses suffered by the nonbank businesses.

Since the Internet--and most particularly security on the Internet--is such an unknown factor, regulators may be hesitant before they stamp their approval on this relationship.

Stuart Stein, an attorney with the Washington firm of Hogan & Hartson, which is representing the Cardinal venture, says he's not worried about any delays in getting any regulatory approval.

Yet the whole issue of security, even if the OTS approves Security First's acquisition of Five Paces, is already a troublesome one for internet banking. And it threatens to become even more contentious as this market expands.

For starters, there's more than one proposed method for protecting transactions over the Internet. Visa International and MasterCard International are squating off over their competing proposals. Visa has teamed up with Microsoft to back one method, called Secure Transaction Technology, while MasterCard has joined forces with Netscape Communications Corp., the leading provider of a so-called "Web browser." IBM Corp., GTE Corp. and CyberCash Inc., a year-old-company formed to authorize Internet credit card transactions, are all part of the Mastercard and Netscape team, whose proposal is called Secure Electronic Payment Protocol.

The jockeying to establish a security standard only threatens to confuse banks, merchants and their customers, especially since it's unclear how Internet commerce will be affected while the card associations and the software companies thrash things out.

The rival groups are striving to see their respective protocols used by merchants. Today, requests for card authorizations are almost universally sent over telephone lines, which are generally considered well-protected from any unauthorized listeners. In the world of cyberbanking, authorization requests for credit card transactions will lide the Internet, which, at least in theory, is far more vulnerable to a wiretap because anyone with a personal computer and a modem--be they in Lexington or Laos--can listen in.

Visa's and MasterCard's proposals both use a variety of technological tricks to protect transactions, starting with encrypting the data. It's possible that both methods could survive and be used everywhere that banks process Internet transactions, says Edward Hogan, a senior vice president with MasterCard. But it's not clear how much it will cost merchant's to install the necessary encryption software. Nor is it clearly understood exactly where this software needs to be installed--at the merchant's site, at the processor who handles the merchant's transactions or with the customer using the Internet. It is almost guaranteed that it will be more expensive for merchants to support two standards instead of one.

In today's world, when a credit card is used at a store, a merchant gives up about 1.8% of the transaction as a discount. Most of that amount goes to the cardholder's bank for assuming the bulk of the transaction's risk. The remainder is divvied up among the other parties. Mail-order sales, where the cardholder isn't present, are assumed to have a greater risk. In those cases, the merchant pays a fee that's just over 2%. This higher fee will be used for Internet purchases, says MasterCard's Hogan.

It's also current practice that third-party processors like First Data Corp. and National Processing Co. get a piece of every card transaction. With Internet commerce, the software companies like Microsoft and Netscape could well gamer a piece of the action, too. But again, how this will shake out is by no means certain.

Given all the highly publicized security lapses that have become public in the last four months, the concern about the Internet's safety is justifiable. Even with tight security at the local network server that connects a bank to the Internet, security breaches are still possible, according to a research paper posted on the World Wide Web by Eric Brewer, an assistant professor of computer sciences at the University of California at Berkeley. He and four of his graduate students have publicized several security holes they say are well known to the Internet community.

While Kurrasch of Wells Fargo and several of the other bankers involved in the Internet acknowledge the gravity of the whole security issue, they believe that the flaws are addressable. The possibility of a hacker using the Internet to plow through a bank's computer systems is one concern. Almost as serious is the possibility that fears about security will chop the Internet banking phenomenon off at the knees. While those fears can be addressed with public statements and press releases, the public's fear that security holes are much greater than anyone will admit will always be lurking off-stage.

"Anything is breakable with enough computing power and time," Kurrasch admits.

But McChesney argues that the flaws in Netscape are overblown, rare and not easily exploited by even the most sophisticated criminals. Moreover, he says the Five Paces software relies on security techniques that another firm he owns, Secure Ware inc., first developed for the Pentagon in the 1980s. While no system is foolproof, McChesney admits, he still believes these features can prevent many of the breaches publicized by the Berkeley students.

Can it Fly?

It's amazing just how far the Internet has come in a scant two years. Go back before all the hoopla started and most bankers--or most people, for that matter--had probably never heard of the Internet. "Eighteen months ago, a mouse was a rodent to me," quips Mahan, with just a touch of exaggeration.

And yet now the Internet is being written about and talked about constantly. People no longer wonder if business can be done on the Internet, but bow it can be done. "We've demonstrated that it's possible to use the Internet for payments," says John Doggett, another FSTC board member and the director of applied technology at the Bank of Boston. "Now we're trying to develop the business cases."

But as things are now, the Internet is simply too new and too unknown for anyone to be sure of just how much money there is to be made on it. This worldwide network may indeed to be turned into the next multi-billion industry with a global customer base in a few short years. Starting an Internet business now could have as bright a future as starting a telephone company in 1910 or a television studio in 1945. The sky could be the limit. Indeed, anyone who argues otherwise isn't taken seriously at this point.

Still, there are some bankers who clearly aren't swooning over the Internet's prospects.

George Reese, president of First State Bank of Pineville, which has a branch two blocks down from Security First's, says the internet hasn't been that big a deal locally.

"From a local standpoint, the Internet hasn't really affected us," says Reese, whose bank is the last of the three Pineville-based banks to remain independent.

Reese could be forgiven if he's downplaying the Internet's impact. Evans, the manager of the Security First branch, says one local rival, who he wouldn't name, asked him recently about opening an account at the bank. He also says that a local community college will provide Internet access to Pineville residents by next year.

For Evans, all of this excitement is quite a heady experience for someone who got started 22 years ago fresh out of college as the bookkeeper for First Federal Savings. Back then he had to calculate mortgage interest payments with an electronic adding machine that covered a third of his desk. And when the bank started using a service bureau run by the Federal Home Loan Bank of Cincinnati, the mainframes there filled entire rooms. Now all of Security First's business, including its Internet access, is run on computers that are no bigger than pizza boxes.

"I wasn't even introduced to e-mail until I started to talk to Chip Mahan," he says. "Now my son's college advisor wants to know how he can open an account at Security First."

Something big is clearly happening on the Internet, and unless there's a major electronic theft that costs a bank many millions of dollars, it seems safe to say that Internet commerce is here to stay.

"We may be a little early," Mahan says. "Maybe we're not as close to being ready for prime time as we think we are, but even if it takes another five years, we'll be learning."

Subscribe Now

Access to authoritative analysis and perspective and our data-driven report series.

14-Day Free Trial

No credit card required. Complete access to articles, breaking news and industry data.