« Doubting Thomases for election promises | Main | Vishy's Indian English Dictionary: co-brother »
July 02, 2006
HSBC's Personal Internet Banking not!
HSBC, the self-styled 'world's local bank' advertises an online-only savings account that lets them offer a higher than average interest rate in exchange for lower overhead per retail banking customer. The online-only application process is more arduous than most, requiring multiple forms of identification and a three day period to verify the existing bank account from which you wish to fund the online savings account. Miffed yet patient, I jumped through the hoops, watching the high-interest carrot dangle before my eyes (that mixing of metaphors was intentional) and hoping that this treatment would improve once I actually became their customer. Being part of both the wired generation and Generation Debt, I have seen my share of Web services that purport to help me manage my money online. I've rarely encountered an online-only financial service as bad as HSBC's Personal Internet Banking. I continue to be their customer for now because of their inflation-beating interest rate but if the quality of their Web site was the only consideration, then I'd have stopped being their customer before even applying to be one.
HSBC's Personal Internet Banking service is not personal. After your application has been approved, HSBC sends you your online login credentials, customer ID and password, through separate pieces of snail mail. I waited eagerly for mine to arrive, only to find that my customer ID was--wait for this--a 20 digit number. I remember all of my frequently used credit card numbers, each 15 or 16 digits long, but only because I find myself giving them out frequently over the phone or online. This number is longer than all my credit card numbers, a fact made worse only by the fact that I would use it solely for this one Web service. The password is another 8 digit number, which means as much to me as my customer ID--nothing. When picking security keys and so on, the service requires the customer to click keys on an on-screen keyboard, ostensibly to thwart any keylogging spyware installed on the client computer. I imagine this mouse intensive task would be annoying to not-so-dexterous older users as well as keyboard-preferring younger users. I realize the need to protect against authentication and transaction fraud, but this is ridiculous. Far from being personal, these devices make the online banking customer uncomfortable. The message that HSBC sends to the online banking customer is 'This Web service is ours, not yours, and we'll make you jump through all these hoops to manage your own money!'
Despite showing an astonishing level of awareness about modern devices to commit online financial fraud, HSBC's Personal Internet Banking service is not an Internet service by my definition. The service offers only the thinnest layer of online transaction support, falling back on phone based customer service and antiquated snail mail devices at just about any pretext. Take the authentication credentials for instance. I have no opportunity to choose a personally memorable username and password. I am entirely dependent upon those two or three pieces of snail mail that contain the indecipherable and meaningless 28 digits I need to access my account. A online service that ties me thus to two insecure and easily lost pieces of paper is not an Internet service. HSBC's service also does not support instant online verification of my non-HSBC accounts, unlike some other services I have seen. Adding this feature is a simple matter of technical tie-ups with online banking services from other banks, something I have seen one of my other online banking services do already. Having non-HSBC online accounts verified via trial deposits should be a fall-back option and not the default. Forcing its users to wait three days for any non-HSBC account verification, especially if it is the same one they initially verified to fund the account, is hardly what an Internet service, with its implied instant-gratification tag, should do.
Consistent with HSBC's this-is-our-service-not-yours message, its web site also does nothing to protect the customer from phishing, which is becoming an increasingly effective vehicle for fraudsters to launch online bait-and-switch attacks. There appears to be no way for HSBC's site to identify itself to its users. Bank of America's site, on the other hand, lets users choose a personalized picture, called a SiteKey, which is shown to them before they enter their password. It's not foolproof, but it is certainly more than what HSBC does. All the above complaints are exacerbated by the fact that online-only customers have no recourse to a brick-and-mortar HSBC branch for any complaints. Even a minor site usage error means spending 15 minutes on the phone with a customer service representative, who asks you for your account number, which is another 9-digit number distinct from the other numbers mentioned above. One would imagine that the world's local bank, with its intricate knowledge of local customs, would come into the global Internet age, for once and wise up to its competitors' vastly superior online banking offerings.
Come on HSBC -- get with the program!
Posted by Vishy at July 2, 2006 10:38 AM