5 minutes
Starting in July 2015, it became possible for someone to note their love (.love) or hate (.sucks) for your credit union through a website with that generic top-level domain name. In other words, it’s now possible to have a www.mycuname.love or www.mycuname.sucks website. So more than ever, it is important your credit union has a clear governance system and strategy for its online presence and identity.
In the 1990s and the first years of the new millennium, managing your online presence was fairly easy. You selected a generic top level domain of .com, .net, or .org. You then determined what second level domain (i.e., mycuname) you would use. And most probably, you let your third level domain/label be “www.” If available, you also registered and configured redirect pointers for other gTLDs to your main website. For example, if you were using mycuname.org, you set up redirects for .com and .net to direct folks to your .org website.) When they later became available, you may have added .coop or .biz or .info to that list of redirects.
That was then. This is now. And things are a bit more complicated.
If you didn’t buy/register your .love or .sucks during the sunrise period (when trademark holders are allowed first crack at names), you are now competing with anyone willing to pay the annual fee for the name. And if your name falls in a listing of “Premium” names, that .suck registration can cost up to $2,499 per year.
The high cost for the premium domains is intended to prevent companies from buying up and holding out on the domains as a way to prevent consumers from using them. For example, the primary registrar (Vox Populi Registry Ltd.) would prefer a "consumer advocate" own a Fortune-500-Company.sucks domain rather than the Fortune-500-Company, or that some regular guy owns divorce.sucks rather than a large law firm.
To make things more complicated, there are also decisions to be made on the other available gTLDs (e.g., .buzz, .cool, .creditcard, .fail, .fan(s), .gripe, .loan(s), .mortgage, .porn, .review(s), .rip, .rocks). As far as “.cu” goes, that’s reserved as the country code for Cuba. And while the Internet Assigned Numbers Authority maintaining and overseeing approval of top-level domains has retired some names, as of February 2015, their official list had grown to over 800 entries, and they expect it grow to over 1,000 in a few years.
Notably, you can see if your CU is on the premium list. As an example, a CU can go to the Network Solutions website, and search to see if a .sucks domain already has been registered, and if not, the cost to do so.
In examining the impact of these additional domains, you have two primary concerns: Is someone pretending to be us? Is someone using a site to vent their dissatisfaction with us?
Starting off with the first concern, each credit union needs to clearly establish its domain naming convention policy and standards. How will the credit union handle website sections/sub-sites or adjunct product/service sites? For example, the credit union has partnered with a vender to provide online mortgage application processing through the vender’s web portal. Will the credit union “link” to this portal be through www.mycuname.mortgage or mortgage.mycuname.org? Once chosen, the standard should apply to existing and new links.
With a policy and standards in place, the CU can begin an awareness campaign for employees and members. Employees should be informed of the policy and standards and trained to explain how online products and services are available through the CU’s official website. Informing members about the CU’s “official” website(s) can be handled in mailings, on the website itself, or through other member communications covering online safety and security {…to access our online mortgage application system, visit our home page at www.mycuname.org and click on the Mortgage Application button; you will then be transferred to our processing site at mortgages.mycuname.org…}. Providing this clear understanding of what’s “official” assists in preventing members from using fake/fraud sites.
Also within the policy, the credit union can address how it will handle the various available gTLDs. Will you ignore them? Or, based on a risk assessment, will you register those deemed to be particularly important/critical/sensitive/dangerous to the CU and its operations?
Addressing the second concern (reputation), starts off in much the same way: The credit union needs to determine its strategy for handling online comments, complaints and praise. This one gets a bit tricky and goes beyond just an irate individual deciding to set up a mycuname.sucks website. This gets into the reputation aspect of the credit union’s enterprise risk management program.
While addressing the various multiple aspects of reputational risk goes beyond the scope of this article, there are a few items we can examine related to domains and websites.
A plan to reduce reputation risk by registering and controlling disparaging domains is a game of Whac-a-Mole. Registering .sucks may prevent mycuname.sucks, but does nothing about mycuname-sucks.com, mycuname-really-sucks.info, mycunamesucks.gripe, whymycunamereallysucks.fail, and so on.
Does this mean there’s nothing you can do? No. If your credit union has a registered (verifiable) trademark (mycuname™), it can work through the Trademark Clearinghouse to register and protect its brand from misuse or infringement related to gTLDs.
More so than looking to capture domains and prevent their usage, the CU’s ability to protect its reputation from a .suck or similar website lies in its ability to manage member service conflicts and issues before they reach that level. Just as the CU has clear internal guidelines for handling and escalating personnel/HR issues, it should have similar guidelines for member issues. For example, is it made clear to members their complaints can be taken beyond CU employees to the board of directors or the appropriate state or federal regulators if the member doesn’t feel staff or management has addressed their issue?
While the proliferation of new generic top level domains for websites and their potential to negatively impact CU operations continues to grow, there are ways for the CU to mitigate these threats. Just as in other areas, the proper application of policy, standards, and superior customer service aids the credit union in managing these risks.
Jim Benlein, CISA, CISM, CRISC, owns KGS Consulting, LLC, Silverdale, Wash., and offers insights to CUs on information technology governance, information security, and technology risk management.
