Using our live test accounts, we changed passwords then subsequently “forgot” the new one to test how major financial institutions handle the situation. Overall, most received good marks, although everyone has room for improvement.  

 

 

Table 1

Password Scorecard

Safe Practices	Yes	No	Unknown
Use a third password or challenge question	1	13
Disable Internet Explorer AutoComplete	9	5
Require 4 or more characters in passwords	13	1
Bank determines username	6	8
Require more than account number and social security number for online password reset	4	4	6
Send confirmation of password change to email address	2	12
Send confirmation of online password reset to email address	2	6	6
Send confirmation of password reset to mail address	2	6	6
Allow more than 3, but less than 11 unsuccessful password attempts*	6	5	3
Warn users in advance of account lockup	3	11

Source: Online Banking Report, 4/03
*We believe users should have at least 5 login attempts, with clear instructions before and after lockout

 

Testing process

1. Login with existing username and password

2. Change password or username

3. Logout

4. Use online password reset if available

5. Attempt to log back in 10 times with an incorrect password

 

 

American Express

 

Password Scorecard

Grade: Needs improvement

Weaknesses:
(1) Browser AutoComplete function not disabled
(2) No email confirmation of password change
(3) Account lockout too quickly, after third login try

Password structure: User defined, 6 to 8 characters with at least 1 letter and 1 number

Username structure: 5 to 20 characters with
at least 1 letter

Second password/challenge: No

IE 6 AutoComplete disabled: No

Online password change: Yes, with old password

Email confirmation of password change/reset: No

Online password reset: Yes, with card number, 4-digit card ID (on face of card), work phone number, last 4 digits of soc, and 5-digit zip code

Account lockout with excessive login attempts: Yes, after third attempt; red warning issued after attempt two

Online username retrieval: Depends, certain accounts can retrieve their username online, others must call; we were in the latter group so could not test this feature

AutoComplete is not disabled on the login screen.

User friendly: American Express warns users after their second unsuccessful login that they will be locked out after one more attempt.

Password reset, step 1: Enter userid, card number, and 4-digit code from back.

Password reset, step 2:
Enter personal info for authentication.

 

Bank of America Credit Card

 

Password Scorecard

Grade: Good

Weakness: No email confirmation of password change

Username structure: User defined, 9 to 20 numbers

Password structure: 4 to 7 characters; cannot repeat 4 or more in same sequence as username; cannot be same character repeated

Second password/challenge: No

IE 6 AutoComplete disabled: Yes

Online password change: Yes, with old password

Online password reset: No, must call

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, after 4 attempts; help section carries clear warning

Online username retrieval: No

BofA provides a helpful popup screen with each unsuccessful password attempt.

 

 

 

 

 

Centura Bank

 

Password Scorecard

Grade: Fair

Weaknesses:
(1) No email confirmation of password change
(2) No warning of account lockout
(3) No customer service link or HELP available from login screen

Username structure: Social security number (with dashes)

Password structure: 6 to 15 characters

Second password/challenge: No

IE 6 AutoComplete disabled: Yes

Password change: Online with old password; but neglected to provide an on-screen confirmation that the change occurred, an annoying usability flaw

Online password reset: No, must call; password sent via postal mail

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, after sixth unsuccessful attempt; no prior warning

Online username retrieval: Unnecessary (SSN)

Centura had the best login screen “security look and feel.” It also provides a link to disclosures, but not a single mention of customer service or online help, even after making an unsuccessful login attempt. Evidently the bank’s lawyers have been through the site, but where’s customer service?

 

Charter One Bank

 

Password Scorecard

Grade: Needs improvement

Weaknesses:

(1) Browser AutoComplete not disabled

(2) No email confirmation of password change
(3) No warning prior to account lockout
(4) No message after account lockout

(5) A bit too easy to gain read-only account access for new users; requires account number and social security number. However there is a crucial safeguard for bill payment which requires mother’s maiden name, date of birth, home phone number, and a 2-day waiting period.

Username structure: Social security number

Password structure: Must be at least 6 characters

Second password/challenge: No

IE 6 AutoComplete disabled: No

Online password change: Yes, with old password

Online password reset: No, must call

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, not sure when it happens, sometime before the tenth attempt; the bank does not provide a warning of impending lockout, nor does it let you know after you’ve been locked out, you only receive a cryptic
error message.

Online username retrieval: Unnecessary (SSN)

 

AutoComplete has not been disabled
at account login.

 

New users enroll with social security number and account number. Note the excellent use of security graphics during enrollment.

 

Chase Bank

 

Password Scorecard

Grade: Good

Weaknesses:
(1) No email confirmation of password change
(2) No warning of upcoming account lockout
(3) No message after account lockout

Username structure: User defined, must include one number

Password structure: 6 to 10 characters, 1 of which must be a number

Second password/challenge: No

IE 6 AutoComplete disabled: Yes

Online password change: Yes, with old password

Online password reset: Yes, with name, account type, account number, social security number, and two user selected challenge questions

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, sometime during the first 10 attempts; no warning message and no indication when account is lockout out, a “try again” message just keeps repeating

Online username retrieval: Yes, displayed online after entering name, account type, account number, social security number

Chase is one of the few banks offering online retrieval of forgotten usernames. After correctly entering name, account number, and social security number, the username is displayed. At that point you can login if you know your password. If not, you can retrieve your password online by answering two previously selected challenge questions. This is great from a usability standpoint, but the bank should send a confirmation via email and/or snail mail.

To reset the password, users answer two
previously established challenge questions. 

   

  

DeepGreen Bank

 

Password Scorecard

Grade: Needs improvement

Weaknesses:

(1) Browser AutoComplete not disabled

(2) No email confirmation of password change

(3) No minimum password length, can be a single letter or the same as the username
(4) No warning before account lockout
(5) No message after account locked out

Username structure: User defined, can be all alpha

Password structure: 1 to 14 characters, can be the same as the username or a single character

Second password/challenge: No

IE 6 AutoComplete disabled: No

Online password change: Yes, with old password and mother’s maiden name

Online password reset: Yes, with social security number and mother’s maiden name

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, but not sure when because the lockout is not disclosed until the user attempts to login with correct username/password.

Online username retrieval: No, must call, then wait
7 to 10 days to receive in the mail

A common security vulnerability: Failure to disable IE 6’s AutoComplete function.

 

 

 

Everbank

 

Password Scorecard

Grade: Needs improvement

Weaknesses:
(1) AutoComplete not disabled
(2) No email confirmation of password reset, even though it can be reset with info available to an identity thief, SSN and mother’s maiden name
(3) No email or on-screen confirmation of p/w change
(4) No warning before account lockout
(5) No help on login screen for the memory challenged

Username structure: Initially set as social security # (with dashes); can be changed online one time; 8 to 24 characters, not similar to current username, not same as password, not offensive, at least 2 numbers and 2 alphas

Password structure: 8 to 16 characters with at least one number and one letter, not similar to username, not similar to prior password, not the same reading backward and forward

Second password/challenge: No

IE 6 AutoComplete disabled: No

Password change: Online with old password; no confirmation of the change provided on-screen

Email confirmation of password change/reset: No

Online password reset: No, must call; new temp password given over the phone after providing SSN, name, address, date of birth, and mother’s maiden name

Account lockout with excessive login attempts:
Yes, after fifth attempt, must call to reactivate; no warning prior to lockout

Online username retrieval: No, must call

Everbank provides no help at login for users that forget username or password, just a lengthy warning written by the lawyers.

 

First USA Credit Card (Bank One)

 

Password Scorecard

Grade: Fair

Weaknesses:
(1) No email confirmation of password/username change or reset; especially important given relative ease of resetting username/password
(2) No warning before account lockout

Username structure: User defined, 7 to 16 characters, case sensitive

Password structure: 7 to 32 characters, case sensitive,  must have at least 1 number, may not use the same letters consecutively, cannot match username or social security number.

Second password/challenge: No

IE 6 AutoComplete disabled: Yes

Online password change: Yes, with old password

Online username change: Yes, with old password

Online password reset: Yes, with credit card #, social security #, signature panel code, and expiration date

Online username reset: Yes, with credit card number, social security number, signature panel code, and expiration date

Email confirmation of password or username change/reset: No

Account lockout with excessive login attempts: Yes, locked out after four attempts, no warning given

First USA is the only financial institution tested which allowed usernames to be reset online; nice for usability but a confirmation of the reset should be emailed and/or mailed to the cardholder.

 

Harris Direct (brokerage)

 

Password Scorecard

Grade: Good

Weakness:
(1) No email confirmation of password change (thought there is for password reset)
(2) Only 3 login attempts allowed before lockout (but can reset online relatively painlessly)

Username structure: User defined, 6 to 15 characters

Password structure: 6 to 8 characters

Second password/challenge: No

IE 6 AutoComplete disabled: Yes

Online password change: Yes, with old password

Online password reset: Yes, a new disguised password is emailed after entering username and birth date; the new password is a created from the account holder’s mother maiden name and social security number but is not disclosed in the email, e.g. the first 2 letter of mother’s maiden name plus last 4 digits of social security number.

Email confirmation of password change: No

Email confirmation of password reset: Yes, confirmation also sent via snail mail

Account lockout with excessive login attempts:
Yes, after third attempt, but can be reset online; no warning before lockout

Online username retrieval: No, must call

HarrisDirect allows online reset after your account has been locked out for excessive login attempts. It was the only company which emails a disguised new password when resetting. For good measure, they also mail an identical confirmation.                    

 

 

 

ING Direct

 

Password Scorecard

Grade: Excellent

Username structure: Account number

Password structure: 4-digit number (called PIN)

Second password/challenge: Yes, one of 5 user-specified questions asked at login (see below)

IE 6 password remember disabled: Yes

Online password change: Yes, with old password

Email confirmation of password change: Yes; confirmation also sent via postal mail

Online password reset: No, must call

Account lockout with excessive login attempts:
No (not in the first 10 attempts)

Online username retrieval: Unnecessary (acct #)

ING Direct is the only bank we know of using a challenge question at login. In addition to account number and password, one of these five rotating questions must be answered correctly:

•  first 4 digits of social security number

•  zip code of mailing address (first 5 digits)

•  birth year (4 digit)

•  last 3 digits of social security number

•  last 4 digits of social security number

We like the concept, but the implementation is weak. By simply refreshing the browser screen, the would-be thief can select which question to answer, one of which is zip code, which is trivial to ascertain. 

 

PayPal

 

Password Scorecard

Grade: Fair

Weakness:
(1) AutoComplete not disabled on the password reset screen (it is disabled on login page)
(2) Username (email address) known to others

Username structure: Email address

Password structure: 8 to 24 characters case sensitive; recommended, but not required that it include upper and lowercase and at least one number or special character

Second password/challenge: No

IE 6 AutoComplete disabled: Varies; yes, on main login screen, no on password reset screen

Online password change: Yes, with old password

Online password reset: Yes, via email; must answer secret question via email link; if unable to access original email account the new password is sent via snail mail

Email confirmation of password change/reset: Yes

Account lockout with excessive login attempts:
Yes, after 10 unsuccessful attempts; a lockout warning appears after the seventh attempt

Online username retrieval: Not necessary since username is equal to email address

 

PayPal is one of the few financial companies using cookies to automatically insert usernames at login. The company has used this approach since inception, so they must feel that the improved usability more than compensates for the decrease in security.

 

 

PayPal’s online password reset process requires the user to have access to the email account registered with the service. If not, users answer one of four authentication questions (top screen) and the password is mailed to a one of the previously confirmed snail mail address (bottom screen).

PayPal explains after the seventh incorrect password attempt that you have 3 more tries before lockout. This is a far more reasonable approach than many banks’ three-strikes-and-you-are-out policy.

 

Schwab

 

Password Scorecard

Grade: Fair

Weaknesses:
(1) No email confirmation of password change
(2) Account lockout too quickly, after 3 login attempts, but can be reset relatively easily online

Username structure: Account number or social security number

Password structure: 6 to 8 characters including at least one number BETWEEN the first and last characters; cannot match or be a subset of username

Second password/challenge: No

IE 6 AutoComplete disabled: Yes

Online password change: Yes, with old password

Online password reset: Yes, in one of two ways;
(a) If logging in with account number, you must provide social security number, date of birth, home phone number, and correctly pick a security in your account from a list of 10 choices including “none of the above”
(b) If logging in with a social security number, you must only provide the answer to the secret question.

Can also reset via automated phone system.

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, after 3 attempts; no warning prior to lockout

Online username retrieval: Not necessary (acct. # or soc. #)

Schwab’s unique password reset process requires the usual social security #, birth date, and telephone, plus users must correctly choose one of ten securities in the portfolio (including “none of the above”).          

 

 

US Bank

 

Password Scorecard

Grade: Good

Weakness: No email confirmation of password change

Username structure: User defined, 8 to 24 characters

Password structure: 8 to 24 characters

Second password/challenge: No

IE AutoComplete disabled: Yes

Online password change: Yes, with old password

Online password reset: Yes, with ATM card number and ATM PIN; new password displayed online

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, after 6 attempts; can reset online or wait 24 hours; no prior warning

Online username retrieval: No, must call

Password change screen. Note the prominent placement of what happens next.

 

Forgotten password can be reset online with
ATM card number and PIN.

 

Wells Fargo

 

Password Scorecard

Grade: Good

Weaknesses:
(1) No email confirmation of password change
(2) Account lockout too soon, after 3rd login try

Username structure: Social security number

Password structure: 5 to 8 characters

Second password/challenge: No

IE 6 AutoComplete disabled: Yes

Online password change: Yes, with old password

Online password reset: Yes, with statement account number and ATM PIN; those without an ATM PIN are directed to call customer service.

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, after 3 attempts; user redirected to online password reset page; no prior warning

Online username retrieval: Unnecessary (SSN)

Wells offers six options for where to go
immediately after login.

After three unsuccessful login attempts users are directed to reset their password, which can be done online with account number and PIN.    

Following are some of the better emails we’ve seen from financial providers in recent months. Because we only see those from financial institutions where we have established relationships, we would appreciate seeing others you’ve received. Send them to: info@onlinebankingreport.com .

 

Wells Fargo/ShareBuilder

This is our favorite holiday email. It was marketing NetStock’s ShareBuilder on behalf of co-branding partner Wells Fargo. It was sent the week after Thanksgiving (Nov. 28) and featured a engaging graphic of a young child and just 32 words of text (not including the mousetype fine print).

The pitch was for starting ShareBuilder accounts for children, with a $25 bonus for accounts opened prior to Dec. 31. A unique, if somewhat complicated, holiday gift idea for parents and grandparents.

 
 

First USA

This is a good example of a simple old-fashioned holiday greeting. FirstUSA punched it out on Christmas Eve and included a well-crafted P.S., “Maximize your holiday time by managing your accounts online at: Cardmemberservices.firstusa.com.

 

 

PayPal

PayPal sent several emails during the holiday period promoting a usage sweepstakes that rewarded users for shopping with PayPal. Taking a page from Visa’s annual holiday promotion , winners received their PayPal purchase free of charge. This message kicked off the program on Nov. 30.

PayPal also provided shopping ideas and a link to a directory of PayPal shops (right-hand side of the screen). The look of the emails was crisp and clean like the company’s Web site, but we would have preferred a bit more holiday cheer in the graphics.

 

 

DeepGreen Bank

DeepGreen Bank sent this message on Dec. 10 promoting holiday usage of its Home Equity Line of Credit. The message was pretty straightforward and was signed by DeepGreen CEO Jerome Selitto.

It’s a good email overall, but it’s a bit boring. The usual, great rates, great convenience, yada, yada, yada. To increase readership, it would be better to put some of the info into eye-catching graphics.

The company made a serious error by not putting DeepGreen in either the email subject or sender field. Unless you know the CEO, it looks a lot like a SPAM until you open it.

 

Intuit’s Quicken.com

We received our first holiday email from Intuit on Nov. 15, with a message entitled, “Holiday Gift and Sending Guide.”  The message had the usual format of Intuit’s monthly Money Matters email letter, with no holiday graphics. Beside the spending and gift advice, it featured a fifth anniversary sweeps for NetBank.

Although much of the advice is boilerplate, we like how it positions Quicken.com as a provider of thorough and timely advice about all aspects of your financial situation.

Normally, we don’t like to see outside advertising, but the NetBank sweeps added interest to the message.

 

NextCard

The December installment of NextCard’s monthly email newsletter was full of shopping discounts. The full newsletter was a bit cluttered taking up about four screens (at 800x600 on a 19-inch monitor).

The newsletter also promoted the Visa Magic Moments sweepstakes that awarded cardholders free purchases at a randomly selected second every day (box on the right).

To help differentiate its message from in-box SPAM, NextCard incorporates the cardholder’s first name in the email subject field.

Anatomy of a Start-up

www.DeepGreenBank.com

DeepGreen’s home page is relatively uncluttered, but at 100 words, it still trails NextCard’s “gold standard” of 25 to 30 words

Although you have to scroll down to see it, the “Get $5,000, $10,000, $15,000 wired to your checking account in 20 minutes….” (above) is a great hook and powerful selling message.

The newest Internet-only entrant came out of beta on August 16. Company execs were in Seattle and briefed OBR on the company’s innovative products: a no-doc online Home Equity Line of Credit (HELOC) and a “penalty-free*” CD. The CDs are standard fare, but the HELOC is superb. Despite some reservations that we’ll discuss later, we are giving the HELOC an OBR Best of the Web 2000 designation, only the third one of the year

There are serious flaws in the customer experience that must be addressed for the bank to be successful. The management team has an impressive track record in financial services and marketing, but their lack of Web experience shows. The good news is that most of these problems can be easily corrected and we have no reason to believe they won’t be.

*All-Access is a two-year rising rate CD that allows penalty-free withdrawal every three months, and has a 7-day interest penalty at other times.

The Company: Currently, DeepGreen is structured as a highly autonomous, but wholly owned subsidiary of Cleveland’s Third Federal Savings Bank ($6.2 billion), a mutual savings bank owned by its depositors. Most of DeepGreen’s 41 employees work out of Cleveland, but the bank’s administrative offices are in Chicago where CEO Selitto was located prior to joining DeepGreen. The Internet unit has its own charter (purchased from a Florida thrift in Sept. 1999), its own board of directors, and its own technology. For now, Third Federal is committed to funding the unit, but down the road the bank will consider other sources of capital, including an IPO if appropriate. It spent the past nine months building the product and concurrently working with the OTS to approve its business plan (which happened in July).

The Technology: The bank made a significant investment in developing proprietary technology to gain a lead in the marketplace. It licensed Sanchez’s e-profile system as its base platform, but has customized the software using IT expertise from KPMG. Web site and graphic design is from Seattle’s Girvin.

The HELOC Product: What could be so exciting about a HELOC, offered by 10,000 or more financial companies in the USA? We’ll have to admit to being a little biased. Having been a loan product manager in the early ‘90s, we’ve long been frustrated with how overly complicated and expensive the home equity loan process is for top-notch borrowers. DeepGreenBank is working on both fronts with a simple mini-application on the front end and electronic appraisals on the back-end. Its tagline speaks to this positioning, The Online Bank for Grown-ups (above).

The stopwatch, combined with the eye-catching “online first”, “$15,000,” and “20 minutes,”
make a dramatic impression.

Here are the features that make DeepGreen’s HELOC stand out from the crowd:

• Mini-application: The entire application process takes just a few minutes using information from your wallet (no looking up account numbers or property assessments).
• No-doc underwriting: Because the company only accepts A-rated credit applicants based on credit bureau scores, there is no income or employment verification. In fact, the company doesn’t even ask about income or employment. Line size is based entirely on credit bureau data and property value. Fraud detection software is used in the underwriting process to filter out fake applications.
• No physical appraisal: The bank uses the applicant’s estimate of home value, along with information contained in public databases to determine the loan amount. The bank uses electronic appraisals exclusively, no physical appraisals (full or drive-by). By regulation, this limits loan size to $250,000; however, the bank hopes to convince regulators to allow electronic appraisals on higher loan amounts.
• Bundled unsecured QuickCash: Since HELOC regulations require a 72-hour right of recession, the bank has cleverly bundled an unsecured line of credit, called QuickCash, with the HELOC. Approved applicants can choose to have up to $15,000 of QuickCash wired into their checking account within 20-minutes of applying. The unsecured loan is automatically rolled into the HELOC provided the user applies for and is approved for the home equity loan. No interest is charged on QuickCash loans rolled into the HELOC.
• Real-time balance transfer: Using an approach first seen at NextCard, approved applicants are automatically offered an opportunity to pay off their existing loan balances. Users are presented with a table of outstanding loan balances pulled directly from credit bureau data. To transfer a balance, users simply check the appropriate box and type in the amount desired.
• Low ongoing rate (not a teaser): Loan pricing is competitive, with a variable rate pegged to prime rate less 5 basis points (currently 9.45%).

• Line usage incentives: Rate reductions are provided to encourage line usage and automatic ACH (electronic) payments as follows:

HELOC Rate Discount Schedule

What	Discount	Cumulative	Current
Base rate	n/a	n/a	9.45%
ACH payment	0.25%	0.25%	9.20%
25% line usage	0.20%	0.45%	9.00%
50% line usage	0.20%	0.65%	8.80%
75% line usage	0.20%	0.85%	8.60%

Source: DeepGreenBank, 8/25/00                                                

• No fees: The loans carry no points, no origination fees, and no annual fees.
• Lowest possible monthly payment: For the first five years, only interest must be repaid; no principal payments are required.
• 100% LTV: Loan amounts up to 100% loan-to-value ratio (LTV) are allowed.
• 7/24 closing: Closings take place at the user’s preferred location (home, office, yacht, etc.) anytime day or night including weekends and holidays. The user must sign the documents and show a picture ID. For security reasons, funds are wired after closing. Stewart Title handles the closings.

 

Management Team: Company execs are long-time mortgage industry veterans having founded and operated Amerin Guaranty Corporation, a mortgage insurance company sold to Commonwealth Mortgage Assurance Corporation, now known as Radian Guaranty (NYSE: RDN).

The DeepGreen Team

Title	Name	Previous Experience
CEO	Jerome Selitto	Founded Amerin Guaranty Corp., a mortgage insurance company sold to Radian Guaranty in 1999; prior experience included stints at Kidder Peabody, PaineWebber, First Chicago Capital Markets, and Florida Federal Savings and Loan.
CMO	Philip Yee	Headed Norwest’s mortgage marketing division before it merged with Wells Fargo; prior experience includes Marketing SVP at Amerin and the mortgage units of Chemical Bank, Bank of America, Prudential, and Great Western Bank.
CTO	David Hadley	Director at Lakefront Consulting; prior experience in Andersen Consulting’s Media Technologies Group.
CCO (chief credit officer)	Jocelyn K. Smith	Another Amerin veteran where she was Dir. of Risk Management; prior experience includes operational and underwriting work at Franklin Mortgage, Homebanc Mortgage Service, and Mortgage Guaranty Insurance Corp.

Source: company, 8/16/00

Strategy: The bank is launching as both a B2B and B2C company. They have been in discussions with a number of banks and portals on providing co-branded HELOC lending services “powered by DeepGreenBank.” The bank is also planning a consumer launch this fall that will include print advertising in major markets, direct mail, online banners, and opt-in email. Advertising will be product focused alternating between CDs and HELOCs with a “rate plus benefits approach” according to CMO Philip Yee.

At this point, the bank has zero appetite for the so-called bricks-and-clicks strategy currently in vogue with the press and many analysts. The bank is betting that users will flock to online lending if it’s easy to use and delivers on the promise of an all-electronic interactive loan.

DeepGreen believes that its ease of use combined with upfront pricing will be more compelling than the unknowns consumers face when using a loan marketplace such as LendingTree. The bank doesn’t rule out participating in lending auctions to boost volume, but it doesn’t believe that auctions are the winning model for online lending.

The bank plans to be aggressive on price. Bank executives predicted that its initial CD rate would be the highest in the country. When we checked www.BankRate.com  on Sep. 6, its 6.91% rate on the 6-month CD was in fact the highest in the nation, with a 3 basis point edge over www.umbrellabank.com . The 1-year rate was also number one by 4 basis points. www.BankRate.com   does not publish a national ranking for the 2-year term. An upcoming DeepGreen feature will allow users to research competitive rates at www.BankRate.com  right from the bank’s Web.

 

What’s Next: The founding team has a wealth of mortgage banking experience, so it’s only natural that they are eyeing the first mortgage market; however, rather than trying to be another E-Loan or www.Mortgage.com , they plan to specialize as a portfolio lender in the non-conforming* arena. This allows DeepGreen to offer higher-margin products that appeal to underserved markets, such as self-employed and those looking for jumbo mortgages (greater than $250,000). The bank is also looking at offering other liability products such as checking and money market accounts.

*Non-conforming mortgages are loans that cannot be sold in the secondary market to Fannie Mae or Freddie Mac due to loan size
(greater than $257,000) or credit quality.

 

The Tax-Advantaged Borrowing section is typical. The design draws attention to the key HELOC selling benefits: “Tax Break” (below the happy family) and “Get a bigger break” (lower right).

Analysis

Web Site Design: The overall look and feel is excellent and makes a great first impression. The site quickly communicates its purpose: to sell HELOCs and CDs. The sales pitch is benefit oriented, drawing you in and not wasting your time.

But it can be improved. Unfortunately, they’ve buried the most compelling message, Get $15,000 in 20 minutes at the bottom of the home page requiring users to scroll down to see it. The home page word count could be pared back from 100+ words to 50 or so.

Navigation is good but could be better. The five choices around the ubiquitous “happy family” graphic could be reduced to three by moving the Tax-advantaged Borrowing link to the Home Equity page, and moving the About Us link to a less prominent position on the bottom row of text links.

And why not lose the overused “happy family” graphic altogether and instead substitute the much harder hitting, Get $15,000 in 20 minutes?  It’s far more meaningful to the borrower and stakes out a comparative advantage for the bank that’s difficult for competitors to match.

While the FAQ section is comprehensive and well written in everyday language, it could be better organized and divided into sub-sections.

Rates are displayed prominently on most pages providing the sense that the bank is quite proud of its prices. An important message for visitors, the vast majority of which will never have heard of DeepGreen.

Security and privacy are addressed at length and the bank uses VeriSign Secure Site on the home page for added credibility. The bank should also consider using the American Banking Association  www.aba.com  SiteCertain system for even more credibility .

Grade

A-

 

Product Design: On the loan side, the HELOC is perfectly suited for the financially savvy prospects DeepGreen hopes to reach. Even though the non-discounted rate is higher than the national average of 8.62%*^, the combination of no fees and below-prime rate provides applicants with something to brag about to their neighbors. Customers that take advantage of the entire discount schedule can drop their rate to 8.6%, two basis points below the national average.

The initial balance transfer option along with ongoing access via a Visa Debit card and paper checks make it ultra-convenient to use. The bank should also make the balance transfer process an ongoing product feature (not just for initial applications).

On the deposit side, we think the bank is making things harder for itself and its users. Currently its product line is limited to four CDs: 6-month, 1-year, 2-year and the featured All-Access CD. All-Access is a rising-rate “no-penalty CD” which includes an option to withdraw the money each quarter with no penalty and only a 7-day interest penalty at other times. The CD is being positioned as the place to park money for those who want security and flexibility. However, if that’s the market the bank wants to reach, it should feature a money market deposit account that consumers already understand and trust

Grades

Loans: A
     Deposits: C-

^ð

*Source: www.BankRate.com , 9/5/00; national average rate does not take into account potential closing costs and annual fees.

Pre-purchase Customer Support: The bank needs a major upgrade in its Web-based customer support. Other than the well-done FAQ section, the bank doesn’t do nearly enough to answer applicant questions along the way. They need context-sensitive Help throughout, a demo application, and in general more handholding through the process.

The bank should also consider adding live chat in order to answer customer questions immediately. For example, during the all-important balance transfer module, some of the choices are confusing. Without a simple way to ask a quick question, users will tend to simply bypass this feature, depriving the bank of loan balances they would have otherwise captured. NextCard learned this lesson in 1999 when it added live chat in critical areas and saw its abandoned application rate fall by 20 to 30% while lifting balance transfer rates a similar amount .

When we tried to signup for a CD we received this curious error message on our IE 4.0 browser.

There was a serious glitch in the application when using an IE 4.0 browser (it worked fine with Netscape 4.6). After choosing the online application, this error message popped up (see screenshot above):

Internet Explorer cannot open the Internet site https://www.deepgreenbank.com/menu-js.htm . An error occurred in the secure channel support.

It turned out that the navigation frame would not load. For users who pushed forward past this ominous sounding error message, the application could still be completed but navigation was severely hampered.

Grade

C-

Application Process:

·         Home Equity Line of Credit: This is where DeepGreen shines and why we think it has a good chance of gaining a foothold with online borrowers. The application is both easy to complete and unbelievably fast. In a demonstration of an actual live application, the user was approved in less than a minute for a $15,000 unsecured loan, followed by a $59,000 HELOC several minutes later. The entire process including filling out the loan app and scheduling the closing takes approximately five minutes; and the user doesn’t have to do any preparation prior to submitting the loan. Applicants can interrupt the application process at any time, saving their application and coming back to it later. The only thing that needs improvement is more guidance and customer support along the way.

An electronic transfer process
is built into the CD signup form.

• CDs: We tested the CD process by purchasing a
  6-month CD. Overall, the signup process worked well. It took 6 minutes and 10 seconds to setup and fund a new account, an acceptable time period. That included printing out the disclosures but not reading them. More important than the elapsed time is how the process “feels” to the user. This is impacted by design, navigation, and feedback. DeepGreen does a pretty good job, but it should beef up the help area.

Another weakness is that they don’t require users to retype critical information such as email address, password, and mother’s maiden name. Most Web sites have adopted redundant entry of these critical items to cut down on data entry errors. The bank does require a confirmation on social security number, and users have a chance to review all data prior to hitting submit. But the bank neglects to prompt users to verify the info and doesn’t provide instructions for correcting any errors.

The application also had a few minor usability flaws, such as not allowing you to type in your date of birth; you are forced to use drop-down boxes.

Grade

B
(could easily move to an “A” with more help functions)

 

CD customers can choose to have interest automatically credited to a non-DeepGreen account each month.

Disclosures are via a link; users are not required to wade through them.

Immediate Post-purchase Customer Experience (CDs): We weren’t in the market for a home equity loan, so we were unable to evaluate customer support for new borrowers. We did buy a CD and found the experience less than satisfying.

Aside from bare bones and sloppily written thank-you screen (screenshot below), the bank failed to use the Net to provide even a minimal amount of post-purchase support. We ranted on this last year when Wingspan launched and DeepGreen has not learned from the mistakes of its nearby competitor.

Here’s how one new CD customer reacted to the online purchase. After taking the time to wade through pages of disclosures, complete a 6-minute application, and ACH the money for the new CD, the bank didn’t so much as send a single autoresponse email thank-you or confirmation. In fact, during the next 6 days we heard nothing from DeepGreen via any channel: email, phone, snail mail, or fax. Finally, on day seven the shortest and driest welcome letter we’d ever seen arrived in the mail. It consisted of a four-sentence unsigned form letter reiterating our account details along with nine pages of disclosures, all printed on standard copy-machine 8.5 x 11 20-pound white paper.

If a branch treated new customers like this, they wouldn’t have any. It’s as if you walked into a branch and gave the teller $1,000 to open a new account. After thanking you the teller turned and walked away and never came back, leaving you standing at the window wondering if you’d just lost $1,000. How confident are you in a bank’s ability to serve you on the Internet if they don’t even use email to acknowledge a new customer.*

Grade

D-
(only CDs tested)

 

The snail mail confirmation arrived in a timely fashion (7 days), but that’s not how it should work on the Net. A stream of emails should begin immediately after the customer hits the Submit button. For example, www.X.com  sent us 7 emails and a fax within the first 24 hours of establishing a new account. You simply cannot over-communicate to a new customer who just trusted you with a few thousand dollars.

 

Sloppy copywriting on the thank-you screen
detracts from the initial user experience.

Online Banking Service (post login): Becoming a customer was a big disappointment after such an impressive Web site and product line. The first shock came when I logged back into the bank to look at my account. It takes an unbelievable SEVEN screens, five of which are in the slower secure area, and some horizontal scrolling, before you can view your account balance. Here is the painful process:

1. Press the Login button on top right of the home page; so far so good
2. Enter username and password on login screen
3. Click through the privacy/security statement screen and hit Continue. Why do I have to see this every time?
4. Select from one of four buttons: apply for a HELOC, look at an existing HELOC, get a new CD, look at existing CD
5. After choosing “look at existing CD,” you must still wade through another screen with two choices: CD Inquiry, or CD Withdrawal
6. After selecting CD Inquiry, I finally arrive at my account, but it still doesn’t list the dollar balance; you must highlight the account number in the screen and then choose one of four options presented in a drop-down box; this is confusing and I didn’t figure it out until my third try
7. After selecting Display Account Summary, my CD information and balance are finally shown

As if that wasn’t bad enough, there is also a serious security error that should have been caught in beta testing. When using Netscape 4.6 (we didn’t test other browsers), even after you think you’ve logged out, you really haven’t. You can go right back into your account without entering a username and password. There is a timeout feature, so if even if you left your terminal after what you thought you logged out, a thief would have to come along within the next 10 minutes to cause any harm. It’s unlikely there would be any financial loss, but the error is unsettling causing even a novice user to question the bank’s ability to safeguard their account.

A few other less important faults:

1.    The user interface is poorly designed. It uses a triple frame that is slow and cumbersome and required horizontal scrolling even on a 19” monitor set for 800x600 resolution.

2.    You cannot use the browser “back” key in the secure areas. Users are forced to use the navigation keys in the left-hand frame. However, you are not always given a navigation choice that takes you back to the previous screen. So you are forced to meander through menus just to get back to where you were. It’s Web navigation circa 1996.

3.    After logging in, the Web site allowed us to change email and snail mail addresses with no security challenge. The bank didn’t even bother to send a heads-up email to our old email address to inform us that a change had been made. Only experienced users would notice this security lapse, but it should be fixed before some thief exploits it. To it’s credit the bank uses a security challenge (mother’s maiden name) before allowing the account password to be changed.

4.    After your session times out, there is no way to get back to the home page without retyping the URL.

5.    Ten days after establishing a new CD, we tried to test the withdrawal function. Unfortunately, the bank delivered a vague error message: “You do not have permission to modify this account. Please contact the specialist for more information.” What do they mean I don’t have permission? Who is this specialist? How do I reach them? Most users faced with this message would frantically call customer service to see if their money had been lost.

Grade

D

When trying to withdraw funds, we received a vague error message (top of the middle frame): “You do not have permission to modify this account. Please contact the specialist for more information.” This is not a very customer friendly approach.

Also notice how poorly the account inquiry area is designed, requiring both horizontal and vertical scrolling to see the account information.

Another glitch: after typing in a typical home scenario, the bank’s Equity Calculator told me, “Your estimated DeepGreen credit line” was equal to $300,000. But the bank only lends up to $250,000.

 Summary: Despite a buggy Web site and a decidedly poor post-purchase customer experience, overall we are deeply impressed with the bank’s strategy and product design on the lending side. We look forward to watching them blaze trails in the non-conforming first mortgage market as well. The bank has some work to do, but what startup doesn’t? The true test comes when we check back in a few months and see whether they’ve improved and expanded the site.                        

Overall Grade

B

 

Reviewed by Jim Bruene, 8/28/00

e-profile main online banking screen; note preapproved Visa message in upper right-hand corner.

Sanchez Files to Spinoff e-Profile

 

Capitalizing on the popularity of its e-Profile  www.e-profile.com  Web banking platform division, Sanchez Computer Associates  www.sanchez.com  has filed an
S-1 to spin-off the unit in an IPO. According to the document, as of July 10, 2000, the unit had 11 signed e-Profile clients not including three clients that use a data processing system from a previous acquisition. Four clients are currently in production on the e-Profile system with 579,000 end users (source: American Banker, 7/31/00). Seven clients are listed in the prospectus:

• 1stwebbankdirect, a division of Sovereign Bank (Wyomissing, PA; $36 billion)
• American Express Membership Banking
• DeepGreen Financial, a wholly owned subsidiary of Third Federal Savings and Loan Association
• Lehman Brothers Bank, a subsidiary of Lehman Brothers Holdings Inc., a global investment bank.
• Morgan Stanley
• Dean Witter
• WingspanBank.com, a division of Bank One’s (Columbus, OH; $273 billion) First USA unit
• X.com