Out-Law / Your Daily Need-To-Know

EU regulator urges ICANN to block applications for '.bank' and '.fin' domains

Out-Law News | 29 Feb 2012 | 3:43 pm | 4 min. read

Fraudsters could pass themselves off as regulated financial services companies as a result of the ability to register domain names under the '.bank' and '.fin' suffixes, a European banking regulator has said.

The European Banking Authority (EBA) has written to the Internet Corporation for Assigned Names and Numbers (ICANN), which oversees the identification of websites, asking it to withdraw the availability of .bank and .fin generic 'top level' domains (gTLDs) which it is currently inviting applications for.

Last summer directors at ICANN voted to increase the number of gTLDs from the current number of 22. Top-level domains are the suffixes to addresses and include familiar address endings such as .com, .org and .net. The first round of applications for the new gTLDs opened in January and will close in April. An ICANN spokesperson told Out-Law.com last year that it will cost $185,000 (£114,000) to apply for new web address endings and that companies must demonstrate that they have a legitimate claim to the name they are applying for.

Andrea Enria, chair of the EBA, said the regulator is concerned that consumers could be exposed to financial scams as a result of the two suffixes being made available.

"[The EBA Board of Supervisors] has come to the conclusion that there are many supervisory concerns surrounding the operation of the proposed TLDs by the ICANN, relating mostly to the great potential, according to the EBA view, for misuse by unscrupulous individuals, and that, therefore, any plans for their operation should ideally be discontinued," Enria said in a letter (2-page / 117KB PDF) to ICANN earlier this month.

Enria said that consumers could think that websites registered with .bank or .fin domains have been endorsed by financial regulators when they may not be.

"The potential for consumers of financial services to over-rely on what might be perceived as 'regulatory endorsement' of the companies operating under such TLDs is immense, and the risk for new types of fraud and 'phishing' can be enormous," Enria said.

"The same can be said of the danger for confusion regarding the operation of legitimate websites by 'true' financial institutions and regulated entities. This could lead to the need for them to establish costly and complex legal or commercial initiatives in order to safeguard their trademarks from frauds and abuses," she said.

In a separate published opinion (3-page / 167KB PDF) the EBA also outlined concerns about the difficulty in establishing whether websites rooted at .bank fall within the existing regulatory framework because of the fact the domain is "not lined to a specific country, to a specific supervisor or to a specific regulatory framework".

"Customers might have problems in assessing whether they are transacting with a bank with physical presence in their own or in other countries (EU or elsewhere) or whether they are dealing with an intermediary and where that intermediary is located," the opinion said.

The EBA said that if there was a "process for registration and control" that meant that only "authorised financial institutions" could register domain names anchored at '.bank' and '.fin' then such a regime "could be allowed".

However, because there have not been identified benefits of enabling .bank and .fin domains to exist, the potential effect on consumers, the potential use of the domains by companies across the world and unresolved "technical details" the concerns of the EBA cannot be addressed, it said. 

In her letter Enria said that if ICANN does decide to allow applications for web addresses rooted at .bank and .fin then it should, "as a minimum required action," issue a "public consumer alert, warning them of the risks of these new TLD conventions and the need to be pro-active in checking that the websites used are indeed the sites of regulated entites". The EBA opinion made clear that the regulatory authority itself will be issuing such warnings to consumers.

The first round of applications for new gTLDs is open until 12 April. Applicants have to complete a form containing 50 questions before their request is scrutinised in an evaluation process. ICANN has said previously that potentially "thousands" of new gTLDs could be introduced by the start of next year.

ICANN has said it wants to "unleash the global human imagination" by extending the number of top level domains.

In a blog posted in December ICANN senior vice present Kurt Pritz said that the new registry system for gTLDs would "have even greater safeguards than the TLD registries that exist today and will include enhanced protections for trademark holders". He said "the new environment will sharply reduce the need for defensive registrations".

A spokesman for ICANN told Out-Law.com that he was aware of two applicants that are competing to act as domain name registrar for the .bank domain.

BITS, which is the technology policy arm of The Financial Services Roundtable (TFSRT), has applied for the .bank domain. TFSRT is made up of 100 of the largest financial services companies in the US.

Last year Craig Schwartz of BITS told The Register news website that only financial services companies would be allowed to register domain names rooted at .bank if BITS were approved as the .bank domain registrar.

"Ensuring sub-domains are given only to qualified candidates, that leads to a more secure space from the get-go," Schwartz said, according to The Register's report.

BITS face competition from a company called Domain Security which, according to its website, "will create .SECURE and .BANK to fight phishing and other fraudulent activities". The company also claims that it owns the .bank trade mark in the US.

"Currently most banks spend a huge amount of time, money and effort contesting trade mark disputes over domain names registered at traditional domains such as .com, .net and .org," Gillian Anderson, expert in trade mark law at Pinsent Masons, the law firm behind Out-Law.com, said.

"This problem will continue, and significantly grow with the creation of the new .bank gTLD, unless domain name registrars are required to impose closer controls over who can register web addresses under the new generic top level domain regime," Anderson said.