The Hope and Threats of New Domain Names for the Financial Services Sector

If a website uses a domain name containing the word "bank," is it really a bank? The answer may be as puzzling as the ancient thought-provoking philosophical question, "If a tree falls in a forest and no one is around to hear it, does it make a sound?" With the rising problems that banks and other financial institutions are facing online, the question is becoming increasingly important.

Fortunately, there's a (relatively) short answer to the bank domain name question. Unfortunately, it's like the answer to many legal questions: It depends.

It depends where in the domain name the word "bank" appears:

  • If the word "bank" is a part of the second-level portion of the domain name, such as <bankofamerica.com>, then the corresponding website may or may not be for a real bank. (To be clear, the domain name I just cited as an example is indeed used by Bank of America -- a real bank.) That's because second-level domain name registrations in most top-level domain names (such as .com) are not restricted. In other words, anyone can register a second-level domain containing the word "bank" in the .com top-level domain.
  • On the other hand, if the word "bank" is actually the top-level domain (TLD) -- that is, .bank -- then the domain name must be associated with a website for an actual bank or related entity. That's because the .bank TLD, operated by fTLD Registry Services (which also operates .insurance), is restricted. Specifically, fTLD's Registrant Eligibility Policy for .bank states that .bank domains are available only for "[s]tate, regional and provincial banks that are chartered and supervised by a government regulatory authority," or certain other qualified banks or bank-related entities.

The distinction is an important one.

That's because many domain names with the word "bank" in the second level are not registered by banks and, instead, have been used to conduct various scams. For example, the domain name <capitallbank.com> was used by a cybersquatter (not by Capital Bank) to "conduct a phishing scheme designed to obtain sensitive personal and financial information" from Capital Bank's customers.  Other domain names, such as <amgybank.com> and <td-bank-support.com>, have been used by cybersquatters to provide banking-related links that were not necessarily associated with the obvious trademark owners (that is, Amegy Bank and The Toronto-Dominion Bank).

Fortunately, all of the domain names in the preceding paragraph, which were once registered by cybersquatters, were transferred to the real banks through proceedings under the Uniform Domain Name Dispute Resolution Policy (UDRP).

Real banks apparently are finding the .bank TLD attractive. For example, Badger Bank in Wisconsin is now using the domain name <badgerbank.bank> because " banking staff knew that instituting a .BANK domain name would help solidify its strategic plan of focusing on cybersecurity measures to better serve its customers."

But, not all of the new gTLDs are restricted, including many of those that might be attractive to banks or other financial service providers. For example, .creditunion is intended for use only by "organizations that have a nexus with the credit union sector." But .creditcard is unrestricted.

Given the long list of new gTLDs that are associated with the banking and financial services industries -- such as .accountant, .broker, .financial, .fund, .markets, .money, mortgage, .netbank and .trading (just to name some!) -- the potential for confusion (by both trademark owners and their customers) is apparent.

Additionally, many of the hundreds of other new gTLDs that have nothing to do with the financial services sector are being used by cybersquatters. For example, banks already have filed and won UDRP complaints for the domain names <dollarbankloancenter.xyz>, <citibank.porn>, <hancockbank.online> and <tdbank.email>.

Thus, it is apparent that the new gTLDs are providing both opportunities and significant new risks for banks and other financial service providers. As a result, these organizations must become even more vigilant in policing domain names that violate their trademarks , to protect their customers as well as the future of their ability to safely conduct business online.

The Growing Threat of Cybersquatting in the Banking and Finance Sector

The apparent cyber heist of of $81 million from the Bangladesh central bank's U.S. account may cause some people to question the security of online banking. While the online theft prompted SWIFT -- a cooperative owned by 3,000 financial institutions around the world -- to make sure banks are following recommended security practices, the incident also could have ramifications for banking customers worldwide. Indeed, the Bangladesh online banking break-in comes just as the World Intellectual Property Organization (WIPO) identified the banking and finance industry as the second-most-popular sector to file cybersquatting complaints in 2015. Nine percent of all domain name disputes at WIPO last year were filed by bank and finance owners, second only to the fashion industry.

WIPO identified the following banking and finance entities as among the most active pursuers of cybersquatters: Banco Bradesco, Bank of Scotland, Bloomberg Finance, Comercia Bank, Intesa Sanpaolo, Lloyds, Saxo Bank and Sydbank.

At the Forum, the second most-active provider of domain name dispute services, the list of banks that filed domain name disputes in 2015 is more U.S.-centric, including complaints by American Express, Bank of America, Barclays, Discover Financial Services, OneWest Bank, Regions, TD Bank and Wells Fargo.

Using UDRP and URS to Fight Cybersquatters

While most of these cases were filed under the Uniform Domain Name Dispute Resolution Policy (UDRP), companies from the banking and financial services industries also are taking advantage of the new Uniform Rapid Suspension System (URS) to tackle registrations in the new generic top-level domains (gTLDs), such as .club, .guru, .services, .top, .wiki and .xyz. Morgan Stanley, Principal Financial Services and PayPal have all used the URS to their advantage.

In many cases, the domain name disputes initiated by banks involve phishing scams, that is, where the cybersquatter tries to trick a customer into providing his or her account information. For example:

  • In one Wells Fargo case, involving the domain name <welilsfargo.com>, the UDRP panelist found that the registrant of the domain name was "seeking to deceive Internet users by providing a web site containing a near identical copy of [Wells Fargo's] web site and seeking to fraudulently obtain personal information from Internet users through a phishing scam."
  • Similarly, in a UDRP case for <lloydsprivatecommercialfinance.com>Lloyds Bank said that "[t]he disputed domain name is used to host a website appearing to offer financial services, but there is no proof there of any delivery of such services, nor any mention of any official authorization, as would be mandatory. The Respondent appears intent on making unjustified profits or defrauding consumers to reveal personal or proprietary information."

Phishing, Crimeware and Education

These banking-related cybersquatting cases are consistent with a general increase in phishing scams overall: The non-profit Anti-Phishing Working Group (APWG) reported that the financial services industry was the second-most-targeted industry sector in the fourth quarter of 2015 (behind only the retail/service sector). The APWG also notes that access to financial-based websites is the most common target for "crimeware" attacks, which it defines as "data-stealing malicious code designed specifically to be used to victimize financial institutions' customers and to co-opt those institutions' identities."

Although online banking is now commonplace, some customers continue to fall for some scams. Indeed, the Federal Trade Commission warns consumers that they should never click on links in email messages requesting financial information. And individual banks send similar messages. For example, Bank of America cautions their customers about the common "phony email ask[ing] you to go to a website that looks like a Bank of America site, but is actually a site the criminal has set up asking you to provide your personal account information."

Despite these warnings, phishing and crimeware attacks targeting the banking and finance sector are not likely to disappear anytime soon, as the reports from WIPO and the APWG make clear. While banks and financial service providers should continue to educate customers, tackling cybersquatters through the UDRP and URS remain important -- and very effective -- tools to ensure that online banking remains safe.

What is the Intellectual Property Constituency (IPC)?

As a longtime member of ICANN's Intellectual Property Constituency (IPC), I’m impressed by the important work that this group does on behalf of trademark owners worldwide (as I've written before). While some die-hard IPC members spend countless (and, often, thankless) hours working virtually and in-person (at ICANN's global meetings) for the constituency, I find it very educational and worthwhile to participate on an ad-hoc basis. Thanks to active email discussion lists and remote participation technology, the IPC offers numerous opportunities to get engaged with important issues affecting, primarily, the intersection of trademarks and domain names.

For example, at the recent ICANN meeting in Marrakech, Morocco, the Generic Names Supporting Organization Council (a part of ICANN's policy development entity) approved a working group to review all rights protection mechanisms in the generic top-level domains (gTLDs), an area that is of obvious importance to IPC members, who will certainly contribute greatly to its work.

Still, despite all of the the IPC's significance, I often find that many people are simply unaware of what this constituency is -- or, at least, what it does and who drives it. Fortunately, the IPC recently published an updated "one-pager" (well, it's really a 2-page PDF document) about itself, which provides some great introductory information.

Among other things, the document makes clear that the IPC is "primarily focused on trademark, copyright and related intellectual property rights, and their effect on and interaction with the domain name system (DNS)."

The IPC's "key" issues, as described in the document, are as follows:

  • WHOIS/registration directory services, including WHOIS accuracy, availability of WHOIS information, translation and transliteration of WHOIS information, privacy and proxy services, and advancements in “next generation” registration directory services.
  • Reviews of ICANN’s New gTLD Program including competition, consumer trust and consumer choice, and planning for subsequent rounds.
  • Reviews of rights protection mechanisms (RPMs) for the New gTLD Program and for “legacy” gTLDs, including the Uniform Rapid Suspension System (URS), the Trademark Clearinghouse (TMCH), and the Uniform Domain-Name Dispute-Resolution Policy (UDRP).
  • Internet governance, including the IANA Stewardship Transition and the associated process to enhance ICANN accountability.
  • Issues related to geographical indications and other geographic terms.
  • Abuses and concerns related to the New gTLD Program, both overall and with specific registries and new gTLDs.
  • Strong, consistent enforcement of ICANN’s contracts with registries and registrars, especially new provisions regarding the protection of intellectual property rights.

I recommend the IPC one-pager for anyone interested in learning more about these issues, including those who might want to join the constituency and further contribute to the protection of intellectual property on the Internet.

Beware of YouTube's 'Community Guidelines'

As an attorney who spends every day helping clients protect themselves online, imagine my surprise when I received an email from YouTube with the subject line, "Your video has been removed from YouTube." And the email was intended for me, not for one of my clients. Amazingly, the video that YouTube removed was one I created -- about how to protect yourself online! It was a recording of a webinar I had recently presented, titled "Domain Name Disputes: What Happened in 2015 (and How to Protect Yourself in 2016 and Beyond)." The video had been published on YouTube for several days before I included a link to it on my GigaLaw blog. Within a few hours, YouTube removed it.

Why? Good question.

What the 'Community Guidelines' Forbid

YouTube's email simply said:

The YouTube community flagged one or more of your videos as inappropriate. After reviewing the content, we’ve determined that the videos violate our Community Guidelines.

Naturally, I "Googled" "youtube community guidelines" (since YouTube's email perplexingly did not contain a link to them), which led me to a page warning users, "Don't cross the line." The page identifies the following types of taboo videos:

  • Nudity or sexual content
  • Harmful or dangerous content
  • Violent or graphic content
  • Copyright
  • Hateful content
  • Threats
  • Spam, misleading metadata, and scams

Of course, these categories are just shorthand for more complete descriptions. Reading the headings alone isn't very informative. For example, most videos are protected by copyright law -- the question is whether the user who posts the video has appropriate rights to do so.

In any event, it was impossible even to imagine which of these categories might have been implicated in the decision to remove my video. After all, I (and my co-presenter) created all of the content in the video, which consisted solely of PowerPoint slides and our narration. No music, no movie clips, no photographs. Certainly no nudity (though there is one slide that discusses the impact of adult-related domain names -- .adult, .porn, .sex and .sexy -- on trademark owners). Nothing that could possibly be considered harmful, dangerous, hateful (I've served as a member of the ADL Anti-Cyberhate Working Group) or threatening. And nothing related to spam, scams or the like. After all, these are the issues I counsel my clients to avoid.

My Successful Appeal to YouTube

So, embarrassed that my webinar video had been taken down so soon after I informed my blog readers that it had been posted, I immediately (within 17 minutes) responded to YouTube, via their "appeal" process, which essentially consisted of a short form. I had room for perhaps a sentence or two -- nothing that would allow for much explanation or legal argument.

And then, about 15 hours later, I received another email from YouTube:

After further review, we've determined that your video doesn't violate our Community Guidelines. Your video has been reinstated and your account is in good standing.

Good news, of course. Though, in the maddening interim, I had replaced the video link in the blog post with a new copy of my webinar video, this time hosted on Vimeo instead of YouTube. (There are plenty of arguments out there about which service is better, but I won't digress.) I had become impatient and did not want the entire business day to pass with the video offline.

Although I was happy that YouTube had restored the video, I remained perplexed. Why was it taken down in the first place? Why wasn't I given an opportunity to respond to any complaints before it was taken down (as is common in copyright-related situations under the Digital Millennium Copyright Act)? And why was it reinstated?

So, I asked YouTube. Via email. Twice. But, of course, no answer.

YouTube's lack of a response is frustrating, but understandable. After all, Google reported last year that it receives 2.2 million takedown requests every day.

Lessons About Online Publishing

While, in a sense, all's well that ends well, the experience has certainly left me frustrated -- and more empathetic to website publishers who have to deal with issues like this all of the time.

So, what did I learn? At least three important lessons:

 

  • Using a free service (such as YouTube) often means that customer service will be lacking, or absent. While I was frustrated that YouTube's decision seemed arbitrary, I had few grounds for complaint, and certainly no real person to whom I could complain.
  • Always have a backup plan. Fortunately, YouTube quickly (and rightly) restored my video, but not before I reposted it with Vimeo. While I was able to do so as soon as possible, there was some true "downtime" where users couldn't view the video. With better planning, I could have replaced the video even more quickly.

The GigaLaw Firm helps companies of all sizes protect their brands online, using domain name dispute policies – such as the Uniform Domain Name Dispute Resolution Policy (UDRP) – and other legal tools available to copyright and trademark owners on the Internet.