Home > News & Events > Financial Institution Letters
Financial Institution Letters
TO: Chief Executive Officers of All FDIC-Supervised Banks
SUBJECT: Protecting Internet Domain Names
This bulletin alerts senior bank management to potential domain name-related problems, and highlights actions that may help to avoid or resolve such problems.
Nature of the Problem
Risk Management Techniques
To prevent customer confusion, reputational harm, fraud and legal disputes, bank management can employ a number of practices and techniques. Timely registration and renewal of a bank's domain name(s) are important to assure that the bank acquires and retains ownership of the Internet addresses that it desires. Any lapses in registration could result in the loss of a domain name to another party.
Bank management may choose to consider acquiring more than one domain name to retain control over the use of all similar names. However, this strategy may entail financial and administrative costs. Either way, institutions may benefit from conducting periodic Internet searches to determine whether there are names being used that are similar to their domain name, legal name or other trade/product names. In addition to similar domain names that have different suffixes (e.g., bankname.com and bankname.net), management also may want to look for variations in spelling and punctuation (e.g., bankname.com and bank-name.com).
Depending on the nature of the problem involving a bank's domain name, management may pursue various courses of action. Legal recourse may be available under the Anti-Cybersquatting Consumer Protection Act, 15 U.S.C. §1125(d), which prohibits registering or using a domain name that is confusingly similar to another name, with the intent to profit. Other situations involving Web sites that are used to promote fraud or illegal activity can be addressed under existing laws that address financial fraud and computer crime (e.g., 18 U.S.C. §1101 - Fraud and False Statements, 18 U.S.C. §1030 - Fraud in Connection with Computers, 18 U.S.C. §1343 - Wire Fraud). Banks also are reminded that suspicious activity involving domain names should be reported according to existing instructions for filing Suspicious Activity Reports with their primary federal regulator and law enforcement agencies.
Disputes over domain names also can be handled by private arbitrators. A dispute resolution process, outlined in the Uniform Domain-Name Dispute-Resolution Policy, has been established by the Internet Corporation for Assigned Names and Numbers (ICANN) to deal with conflicts arising over domain name ownership. All registrars in the .com, .net, and .org domains are subject to this policy, the text of which can be accessed at ICANN's Web site at www.icann.org.
It is important that bank management be alert to security considerations regarding domain name servers, which are computers that allow Internet users to locate information and resources on the Internet by domain name. These servers maintain a database of domain names and their corresponding network locations. Unauthorized changes to the server could result in misdirected Internet traffic or obstructed access to a bank's Internet site. While many banks outsource this function to third-party service providers, bank management can ensure that security features are in place and assessed periodically.
Management also can consider security in its communications with the bank's domain name registrar. For example, to prevent unauthorized changes to a bank's domain name information, management can ensure that proper controls are in place for authenticating and authorizing all requests for modifications to its registration.
For More Information
Questions and requests for additional information can be directed to DOS E-Banking Branch by e-mail at firstname.lastname@example.org.
Christie A. Sciacca
Director, Bank Technology Group
|Last Updated email@example.com|