Preparing for a Fair Lending Examination Statistical Analysis
At the Independent Bankers Association of Texas (IBAT) Lending Compliance Summit in April, 2014 and at the Southwest Graduate School of Banking (SWGSB) Alumni program in May, there was much discussion about the regulatory focus on Fair Lending in general and the statistical analysis that is being done to identify disparate treatment. The article that follows is the first in a series of three that discuss how banks can prepare for an examination and minimize the likelihood of problems, how a bank might proceed with an in-house study to identify and fix any disparate treatment problems and finally, how some statistical examples to help explain several questions that came up at the IBAT and SWGSB gatherings. For additional reading, you may wish to look at How a Bank Can Get in Trouble with Fair Lending Statistical Analysis and Doing Your Own Fair Lending Statistical Analysis.
The discussion of preparing for a disparate treatment statistical analysis is divided into the following sections:
- Fix Data Quality Problems
- Include Calculated Items from Credit Report
- Perform Analysis of Indirect Loans by Dealer/Originator
- Estimate Negative Equity for Indirect Loans
Fix Data Quality Problems
When I worked in IBM’s Global Business Intelligence Systems datamining group, we had a saying:
There are customers that know they have a data quality problem, and there are customers that don’t know that they have a data quality problem.
A dataset can be pristine and balance to the penny from an accounting perspective, and yet be a nightmare from the viewpoint of performing any statistical analysis. If a regulatory statistical analyst receives a poorly prepared dataset, the analyst will will spend so much time cleaning up data that little time will be available to distinquish between unusual datapoints that can be discarded as mistakes and others that contain important information and must be included.
The FDIC Compliance Manual -- January 2014 describes risk factors for discrimination to be used in planning an examination on page IV-1.6:
C2. Prohibited basis monitoring information required by applicable laws and regulations is nonexistent or incomplete.
C3. Data and/or recordkeeping problems compromised reliability of previous examination reviews.
Don’t send a poorly prepared dataset for statistical analysis. As a banker, you are much better off if the analyst has more time and spends more time looking for data elements to explain racial/ethnic/gender patterns in your dataset. If the analyst spends hours cleaning up a poorly prepared dataset, expect to have examination problems.
All of these data quality analysis steps can be performed in Excel, though the corrections should be done on the source system so that you don’t have to repeat the clean-up process every year. Most IT personnel would probably choose to use a programming or scripting language that allows regular expressions and other features that make data manipulation easier.
Catch up on Returned Mail Address Clean-up
All returned mail identifies an address problem--either an old address, an incorrect one, or one that is entered so badly that even the U.S. Post Office can’t figure out what it is--and I am amazed at what the Post Office can deliver correctly. Before you do a data pull for any type of statistical analysis, make absolutely sure that you are caught up on fixing returned mail.
The statement mailing firm that you use probably does address standardization as part of the service that they provide, but the standardized addresses probably don't make it back to your core system. Investigate ways to get the standardized addresses into your core system.
If you don’t use address standardization software to identify and correct spelling, format and abbreviation problems in addresses, at least do a pull and get a count of addresses by city and state. Sort the list by the cities with only one account--these are probably misspellings. If you don’t have address standardization software, you will be amazed at how many ways people can spell "Dallas" and "Houston." The Post Office correctly delivers a lot of mail that is badly misspelled. Make sure that all of the states abbreviations are valid.
If you don't have standardization software, you can use a geocoder to attempt to find the latitude and longitude of the address; if the geocoder can't figure out the latitude and longitude, it is either a Post Office Box, a Military address, or an invalid address. The next article in this series, Doing Your Own Fair Lending Statistical Analysis, has a significant discussion about geocoders and geocoding.
Verify Date Formats and Content
Most core systems do a very good job of preventing bogus dates from being entered, but you should check to make sure--especially for ancillary systems and datasets provided from third party vendors. At a minimum, check the following:
- Verify that all dates are valid dates. For example, 2/30/2014 is clearly an invalid date, but could get into a poorly designed software system, or be part of an incorrectly generated data extract from a third party system.
- Verify that all dates are in the right order. For example, the loan payoff date should always be after the loan opening date. There are a variety of other date relationships that should be maintained, but which sometimes aren’t.
Include and Standardize Indirect Dealer/Originator Names
If you do indirect lending, make sure to include the name of the dealer or originator of the indirect loans, and that the loan type and originator are coded correctly and consistently.
Verify Interest Rates Against Rate Sheet
Take an extract of your historical rate sheets, merge the rate sheet with your loan data by time of loan origination, calculate the difference between the rate sheet for the time period of loan and then rank by absolute value of the difference. Look at the extreme values--these are probably mistakes. Investigate the reason for the largest differences and add a code or comment to explain why these particular loans have unusual deviations from the rate sheet. If they are mistakes, work with the borrower to correct the loan.
Code Collection and Other Loan Modifications Correctly
Make sure that all loan modifications and rework of loans that were messed up somewhere along the line are coded in a way that they can be easily identified and understood. It should be easy for an analyst to figure out that a goofed up loan entry that was corrected and re-issued under another number can be legitimately excluded as an outlier.
Handle Significant Digits Properly When Exporting--Don’t Truncate or Round
In the core systems, numbers can be stored in a variety of ways--some quantities are stored as floating point, some as decimal, some as integers, and occasionally as characters. Each of these data types works differently for rounding and in some cases may just truncate everything to the right of the decimal point. If you extract using a data type that truncates or take a number with 5 decimal places and round it to 2 decimal places, you can introduce some unusual patterns in your dataset.
Always export in the data type that is used to store an element, and always export the number of digits that are stored without rounding wherever possible.
Include Calculated Items from Credit Report
Perhaps the biggest problem that you may encounter in a Fair Lending statistical analysis will be loan decisions that are based upon information that is present on a text-based credit report. If you calculate loan to value, debt to equity, or medical bill charge-offs to total charge-offs from a credit report, but don’t include that in the extract, you will almost certainly have problems during an examination. If these ratios have a strong statistical relationship with race/ethnicity/gender (likely, since income has a strong relationship), race/ethnicity/gender will show as a statistically significant, and you will have have to spend a lot of time and money providing a corrected extract plus the aggravation of dealing with examiners over Fair Lending disparate treatment issues.
If you include the additional credit worthiness-related variables that you used in the underwriting process, race/ethnicity/gender will probably not show up as statistically significant, and your Fair Lending examination will probably go as smoothly as Fair Lending examinations can go.
If your origination system does not calculate all of the ratios that you use, pressure them to add the additional ratios so that it is easy to extract them. This isn’t so much to make Fair Lending examinations easier, as it is to make fraud and abuse analysis easier for you to do. You should use the Fair Lending dataset for a fraud and abuse analysis; you will probably quickly recover the cost of preparing the data set and will start using your fraud and abuse dataset as the one you submit for Fair Lending analysis.
Perform Analysis of Indirect Loans by Dealer/Originator
If you have an indirect auto loan program, this is an area where race/ethnic/gender discrimination may be occurring without your knowledge or control. It is also an area where there is significant opportunity for fraud and abuse by an auto dealer, or specific employees at an auto dealer. The analysis that you do for indirect lending should be at least quarterly, as salespeople move from one dealership to another fequently--a dealer that has demonstrated exemplary performance for years can go south quickly when a new sales person comes onto the floor.
The discussion that follows is really oriented toward dealer-level fraud and abuse problems rather than Fair Lending, but if a dealer or an employee at a dealer is willing to commit fraud or abuse, discrimination based upon race/ethnicity/gender would not be a far stretch and vice versa. To get to this point, you will have put in a fair amount of work; you should reap the benefit of that labor, and a simple fraud and abuse analysis is the way to do it. For regulatory purposes, this analysis may or may not constitute a review of Fair Lending practices that would require you to correct any problems found; that is a question for your attorney.
Look at Fraud and Abuse Metrics
For a simple fraud and abuse analysis that can be done in Excel, calculate and rank dealers by the following quantities:
- First payment defaults
- Defaults immediately after end of recourse period
- Defaults and delinquency by age
For a dealer that ranks at the top of each list, investigate individual loans that have defaulted or are delinquent. It is likely that this work will be financially rewarding to the bank.
Rank by Dealer Participation Fee
Rank the loans by dealer participation for each dealer, and for all dealers. For the highest participations, are there any patterns? A high dealer participation could be an indicator for negative equity rolled into a deal for benign reasons, it could be negative equity rolled into a deal in anticipation of bankruptcy, it could be good negotiating on the part of the dealer, or it could be the result of discrimination based upon race/ethnicity/gender.
Estimate Negative Equity for Indirect Loans
If you have an indirect lending program, negative equity rolled into a deal is a strong predictor of a lot interesting behavior. Estimating negative equity is painful if not impossible, as vehicles rarely sell for the Manufacturer’s Suggested Retail Price (MSRP) and there really isn’t a good way to capture the "value" of the vehicle. If you do capture MSRP and Kelly Blue Book (KBB) or a similar metric, it is worth calculating the difference between the purchase price and the MSRP/KBB as a proxy for negative equity.
Try to figure out a way to estimate the negative equity rolled into a loan. The dealer knows this exactly, but most lending systems don’t really have a way to record it. If high dealer participations are due to negative equity, you have a credit risk problem to monitor; if high dealer participations are not due to negative equity rolled into a deal, you absolutely have a customer satisfaction problem (the painfully high loan rate that gives the dealer the room to roll in negative equity or over charge has your name on it each month--not the auto dealer’s name) and you may have a Fair Lending problem.
Although this article is about preparing for a Fair Lending examination statistical analysis, there is little in the steps to this point that is directly related to Fair Lending--most of this preparation is related to general data quality and to simple fraud and abuse analysis. Everything in this article can be done using Excel, though there are other tools that your IS staff may have that are better suited to the task.
- Written by Bruce Moore
- Hits: 2828
Creating a Website for Your Small Business or Organization
Creating a website for a small business is quite manageable for moderately technical business owners, but many will want to contract out many or all of the set-up tasks. The article that follows provides instructions on how to set up a site; you can use this to develop your site or as the template for a statement of work with your website development firm.
The article discusses the following steps:
- Choosing a Domain Name
- Purchasing Your Domain Name and Choosing a Web Hosting Provider
- Defining Requirements and Choosing a Content Management System (CMS)
- Choosing a Web Hosting Provider and Plan
- Installing Plugins
- Creating Content
- Setting Up Domain Name Services (DNS)
- Obtaining a Secure Sockets Layer (SSL) Certificate
- Installing an SSL Certificate
- Setting up Search Engine Optimization
- Installing a Favicon
- Installing Apple-specific Icons
Choosing a Domain Name
Selecting a domain name can be one of the most time consuming steps in the process; most of the good short domain names in the
.org namespaces are already taken. In many cases, the choice of a domain name is inextricably tied to the name of the company. There are many web sites that allow you to search for available domain names, but some of them will register an available domain name while you are searching, and will then charge you to purchase it, so first do a search on the reputation on the various web sites available for choosing a domain name.
Purchasing Your Domain Name and Choosing a Web Hosting Provider
Once you have decided upon a domain name, you must purchase it from a domain name registrar. Most registrars also offer web hosting services and most web hosting firms will handle the domain registration for you. Using the same firm as the registrar and hosting firm offers convenience, but if you have problems with the hosting aspect of the relationship, it may be more difficult to move your site to another hosting firm.
Although it is cheaper to sign up for a one year contract, for a first site, it is better to go month-to-month so that you can change hosting firms easily in the event that you encounter support problems with the vendor.
Talk to friends that host web services and find out what their experience has been with their domain name registrar. If you want to see what registrar is used for a site that you respect, Domain Tools will do basic lookup of domain registration information.
There are dozens of registrars/hosting firms. I spoke to a number of colleagues who manage various commercial and organizational web sites and came up with the following list. There are many hosting firms and prices vary widely, so shop around and look for promotions.
- Network Solutions provides one-stop-shopping for registrar and hosting.
- GoDaddy provides one stop shopping for registrar and hosting.
- iPage is a smaller and less expensive provider with somewhat less extensive services than Network Solutions and GoDaddy.
- Firehost is oriented to high security environments and is relatively expensive.
- Host Gator is a large hosting firm similar to iPage.
- Verio is a large hosting firm similar to Go Daddy and Network Solutions.
- Zyon is a small and less expensive hosting firm similar to iPage.
- Sprocket Networks is a medium sized firm that is oriented to unusual and highly customized needs.
If you are setting up a web site for a volunteer organization that is part of an "umbrella" organization, you may be able to get hosting services through the umbrella organization. Toastmasters International clubs can host sites on Freetoast Host free of charge, although the club will have to purchase a domain name separately if the club does not want to use the default club number domain (eg 2364.toastmastersclubs.org) provided by Freetoast.
Defining Requirements and Choosing a Content Management System (CMS)
The vast majority of small websites and most large web sites are built upon a content management system (CMS). Although there are many, the most popular are Wordpress, Joomla, and Drupal, in order of decreasing popularity and increasing capability and complexity. All three are open source, are written in PHP and use cascading style sheets (CSS).
Before choosing a CMS, make a list of your major requirements and look for plugins for each CMS to accomplish the goals for your site. Table 1 provides a template that you might use as a starting place for gathering requirements for your web site and choosing the content management system.
Wordpress is the CMS used by the wordpress.com blog hosting site. It was developed primarily as a blog hosting CMS, but has a number of e-commerce plugins that allow it to be used in more business oriented environments.
Joomla has a reputation as being somewhat more complex than Wordpress but for having a wider variety of plug-ins to allow a more complex web site. That may or may not be true at this point.
This site was implemented in Joomla.
Drupal has a reputation as being somewhat more complex and somewhat more capable than Wordpress and Joomla. It may have the most robust version control capability. It is oriented to larger web sites with custom development projects.
|Easy implementation of SSL (HTTPS)||Builtin||Builtin|
|Structured Data/microdata||Several extensions||Some capability built in 3.3. Several extensions|
|Google Author structured data||Several extensions||Several extensions.|
|Multiple domains with different look and feel on one web site||Builtin, but non-trivial configuration.||Several extensions.|
|Language support and translations|
|Version control||Several extensions||Several extensions. Not a strong point.|
|Authentication ||Several extensions||Password and Google, and Google two-factor built in. Several extensions|
|User management ||Several extensions||Users and groups built in. Different menus based upon logged in user. Several extensions.|
|Web application firewall ||NinjaFirewall||Akeeba Admin Tools|
|Backup and Recovery||Google "wordpress backup" for instructions and extensions.||Akeeba Backup|
|Photo albums||Several extensions||Several extensions|
|Mapping||Several extensions||Several extensions|
|Calendar capability ||Several extensions||Several extensions|
|Suitability for mobile browsers||Extensive capabilities.||Some capability built in. Several extensions.|
|Template or theme with attractive design for your needs||Many developers. Google/Bing "wordpress themes"||Many developers. Google/Bing "joomla templates"||Many developers. Google/Bing "drupal templates themes"|
|Performance ||Several extensions||Several extenstions|
|Shopping cart||Several extensions||Several extenstions|
|Reservations||Several extensions||Several extensions|
|Sports Scoring||Several extensions||Several extensions|
Choosing a Web Hosting Provider and Plan
Many small businesses purchase the domain name from the same firm that hosts their web site. It makes sense to see what promotions for either web hosting or domain name rental are running at any particular time. Most hosting firms use one of the major CMS offerings by default. It will be easier if the hosting firm that you use offers the CMS that you plan to use. There are three major types of hosting plans from least expensive to most expensive:
- Web server only (about $10/month)
- Virtual private server (VPS, about $30/month)
- Physical server (about $50/month)
Unless you have unusual software needs or high traffic, the domain only service is probably sufficient in all ways but may present some problems for email. A hosting service may operate a hundred domains on a single server; if one of those domains is used for spam, the spam email blacklisting services will blacklist the IP address–not the domain, and email from your domain will be blocked as well as the spam originating domain. This can present a problem even for forwarding email; a volunteer group where I’m an officer has forwarding addresses for officers that won’t forward to Verizon email accounts because the server where our domain is hosted has been blacklisted for another domain that is hosted there.
VPS and physical servers can encounter some email blocking problems as well. Many email systems do reverse domain name service (rDNS) on email, expecting something like
mail.domain.com. If the rDNS returns
cpanel.domain.com the email that you send may be blocked. In this case you can probably get it unblocked with an email to the receiver’s email administration.
For VPS and physical server installations, most services will offer Web Hosting Manager/Cpanel for an additional fee. These provide a web-based administration interface that simplifies many administration tasks and are well worth it.
Once you have the credentials to log in to your web hosting account and the CMS is installed it is time to install plugins to provide the capabilities that you identified in the Defining Requirements and Choosing a Content Management System (CMS) section.
Because this site was developed with Joomla, the discussion about plugins that follows is done in Joomla, but the general approach will apply to all three CMS offerings. Generally speaking, each of the tools will offer these basic capabilities.
Templates and Themes
The template determines how the site looks, menu placement and provides some capabilities. It is possible to change the template or theme after building the site, but it is best to start out with a template that you like.
Although administrator tools are not required, the free and low-cost administrative and backup tools from Akeeba are well worth the money. The most important functions are the
- Web application firewall which traps a number of different types of attacks
- Generator for .htaccess
- Secure file permissions
Structured data tells search engines like Google and Bing how to identify things like your business hours, location and name. In some cases this is built into the CMS, and in other cases it requires a plugin.
Caching and Performance
If you need reservations, sports scoring or other capabilities, install the plug-ins for those capabilities as well.
All of the previous steps sound long and complicated, but implementing these steps is relatively quick. While the write-up for this step is short, it is by far the most time-consuming part of the site development process. You will need to write articles about the people in your company, directions, maps, and appropriate subject matter. You should create graphics or photos as appropriate.
In all cases, make sure to give each article a good
description and good
keyword values. The search engines will probably use the description as the synopsis for the page in search results, so spend some time writing good descriptions. Similarly, make sure to provide a good description of each image in the
alt tag for the image, as the search engines will use this to index the image.
Setting Up Domain Name Services (DNS)
When you are ready for your site to go live, it is time to set up the domain name services (DNS). If you purchased domain registration and web hosting from the same firm, this is probably already done, and you can skip to the next step. If you used different firms, you will need to log on to your account at the domain registrar's web site and enter the name of the domain name server at your hosting firm. If you are parking additional domains on your web site, you will need to log on to the Web Hosting Manager software at your web site or have technical support do this for you. In WHM, use the DNS Functions->Park a Domain dialog as shown in Figure 1.
Obtaining a Secure Sockets Layer (SSL) Certificate
Although most web sites still run un-encrypted HTTP, most large firms are forcing all of their traffic to use the encrypted HTTPS protocol--Google is probably the most conspicuous firm to do this. You should go to the trouble to do this, as it makes it much harder for criminals to implement a man-in-the-middle attack on your customers. If you expect mobile users and especially users who will access your site using public Wifi, you really, really should go to the trouble to implement HTTPS. There are Certificate Authorities (CA) that will issue a free low-verification certificate that is sufficient for the needs of volunteer organizations.
SSL certificates are used for both encryption to secure communications and trust to verify that you are looking at the website of the real business and not an imposter. Originally, certificates were issued as Class 1 and Class 2, but that has been superceded by Domain Validation (old Class 1), Organizational Validation (old Class 2), and Extended Validation (more rigorous than old Class 2).
If you are running a web site that does not do transactions, a Domain Validation certificate is probably sufficient for your needs.
If you are doing E-commerce or allowing logins, you should get an Organizational or Extended Validation certificate. In these certificates, the CA will check drivers licenses, passports, company incorporation documents, banking records and other items to verify that you are who you say you are and that you are not a cybercriminal. Make sure that the addresses and phone numbers on your domain registration match the incorporation and drivers license/passport documents; you pay for the application for the certificate, not for the issuance of a certificate. If your doc is not in order, they won't give you the certificate and you may have to pay for a new verification of documents.
The certificate authorities offer a variety of features and packages, so if you have multiple domain names, multiple servers and multiple applications like web, email, and a web application server, it makes sense to carefully analyze your requirements and shop around. Some extended valuation certifications may have free features that justify the cost even though you might not otherwise want to pay for an EV certificate. Table 2 below gives a summary of the validation levels and some of the common features that are included in the different offerings from certificate authorities. Generally speaking, certificates in the upper left corner of the table are the least expensive, and certificates get more expensive as you move down and to the right in the table; certificates in the lower right of the table are the most expensive.
|Validation||Single Domain||Multiple Domain||Multiple Domain Wildcard||Unified Communications|
|Only valid for one domain name, i.e. www.domain.com. If used to secure both website and email as handled in a typical web hosting package, will have to point email to "www.domain.com" instead of "mail.email.com" and set up appropriate aliases in configuration.||Would allow same certificate for www.domain.com and mail.domain.com. All domains must be known and listed at time of issuance.||Would allow same certificate for www.domain.com and mail.domain.com. Could add a domain after issuance of certificate. |
Will not support multiple levels like mail.division.domain.com.
|Would allow same certificate for www.domain.com, mail.domain.com, and in addition multiple levels like mail.division.domain.com.|
|Domain Validation (Old Class 1)||Low cost or free. Verification limited to determining if applicant is the webmaster for the domain. |
Appropriate for small business and organization web sites that don't do transactions. Gives lock icon shown in Figure 2.
|Commonly offered. Inexpensive choice for organizations that don't do transactions. StartSSL offers free one year certificate.||Technically possible, but not commonly offered.||Technically possible, but not commonly offered.||Technically possible, but not commonly offered.|
|Organizational Validation (Old Class 2)||Moderate cost, significant documentation required. |
Appropriate for small businesses that do transactions, but lower value and volume. Gives lock icon shown in Figure 2.
|Commonly issued.||Commonly issued. May be a free feature with some certificate authorities.||Commonly issued. Usually an additional cost.||Not commonly offered.|
|Extended Validation (more rigorous than Old Class 2)||High cost. Extensive documentation required. |
Appropriate for businesses that do transactions of high value or high volume. Gives lock and green bar icon shown in Figure 3.
|Commonly a free feature of Extended Validation certificate.||Commonly a free feature of Extended Validation certificate.||Sometimes a free feature of Extended Validation certificate.||Usually used by enterprises that are using Microsoft Exchange for email.|
There are numerous Certificate Authorities. The Table 3 below is not a complete list, but includes some of the major CAs
|Certificate Authority||Web Address||Comments|
|StartSSL||https://www.startssl.com/||Offers free 1-year Class 1 Certificate. This is good for encryption and is reasonable for a web site that does not do the payment transactions. They also offer Class 2 Extended Validation Certificates.|
|Comodo||https://www.comodo.com/||Offers free 90-day certificate; paid after 90 days.|
|Go Daddy||https://www.godaddy.com/ssl/ssl-certificates.aspx||Go Daddy offers one stop shopping for domain registration, web hosting and SSL certificates.|
|Symantec (Thawte, Verisign, Geotrust)||https://www.symantec.com/verisign/ssl-certificates||Offers features necessary for large institutions, but not necessarily useful for small businesses.|
Installing an SSL Certificate
The following tutorial is for using Web Host Manager assuming that you are not using the certificate vendor associated with your hosting company. For other environments the procedure will be different.
- Generate a certificate signing request (CSR) via SSL/TLS->Generate a Certificate Signing Request as shown in Figure 4.
You will need a CSR for your web domain and potentially for email and FTP servers.
- Optionally, mail.yourdomain.com
- Optionally, imap.yourdomain.com
- Optionally, ftp.yourdomain.com
Setting up Search Engine Optimization
The final step in creating your web site is to register with the various search engines and work on the search engine optimization (SEO) for your web site. SEO is a complex topic by itself, and is discussed in a different article. See Search Engine Optimization and Analysis for Small Banks and Small Businesses.
Unfortunately, even these samples are intimidating for someone who isn't an attorney.
- GeneratePrivacyPolicy.com is fairly comprehensive, but doesn't have check boxes for Google Analytics compatibility.
- (sic) iubenda is geared to Google Analytics, but it is accessed through a link to their site (it resides on their server) and contains their logo in the policy. It costs $27 per year if you want to remove the iubenda logo from the policy.
Installing a Favicon
A “favicon” is the little icon that appears on the left side of each tab in Firefox, Chrome, Internet Explorer and until recently, Safari browsers (I'm sure Apple is getting a firestorm of criticism for this change in Mavericks). A favicon makes it much easier for users to identify which tab they want to select. Favicons must be square, so when you get a graphic designer to do a logo, make sure that the designer provides at least one version that is square. To create the favicon file, the easiest thing to do is to use one of many web sites that will convert an image file to a favicon-format file. Google “favicon convert image” and you will find a number of sites that will do the conversion. Favicon.htmlkit.com is one example of many. If you have graphics editing software, that software may have built-in capabilities as well.
If you don’t have the funds for a logo designed by a graphic artist and don’t have any skills in this area, there are some inexpensive apps that will help you to create a basic but useful favicon. Art Text 2 Lite is a free app for OS X that will generate a simple icon with letters and background–see the Intentional Genealogist web site for an example of the output from this tool.
Once you have the
favicon.ico file, you will need to upload it to a particular location on you web server. For Joomla this is
yourtemplate is the directory for all of the active template on your site. If you use multiple templates, you will need to install the favicon in each template.
To test this, you should bring up your web site in a browser that you don't normally use--it can take a while for the browser cache to expire and for default favicon for your CMS to be replaced by the custom favicon.
Installing Apple-specific Icons
Apple iOS devices allow users to add a web site to the home screen of an iPhone or iPad–making this feature work well requires some specialized files and HTML markup on your web site. The article Configuring Web Applications in the Apple iOS Developer Library gives a description of what iOS devices look for when a user adds a web site to the home screen on the user’s iPhone or iPad. Some websites, indicate that some Android devices take advantage of this support as well. Mathias Bynens somewhat dated article Everything you always wanted to know about touch icons gives a good description of how this works.
Since iPhones and iPads come in a variety of resolutions, you will need to make serveral versions of this icon. The easiest way to do this is to use the
convert command from the ImageMagick package to generate the various files from your square icon file. For Windows, ImageMagick is available in the Cygwin set of Linux/Unix utilities. On OS X, it is available through MacPorts, a port of a number of utilties that do not come in OS X.
convert "$1" -background white -alpha off -resize 60x60! touch-icon-iphone.png
convert "$1" -background white -alpha off -resize 76x76! touch-icon-ipad.png
convert "$1" -background white -alpha off -resize 120x120! touch-icon-iphone-retina.png
convert "$1" -background white -alpha off -resize 152x152! touch-icon-ipad-retina.png
convert "$1" -background white -alpha off -resize 60x60! apple-touch-icon.png
convert "$1" -background white -alpha off -resize 76x76! apple-touch-icon-precomposed.png
convert "$1" -background white -alpha off -resize 76x76! apple-touch-icon-76x76.png
convert "$1" -background white -alpha off -resize 120x120! apple-touch-icon-120x120.png
convert "$1" -background white -alpha off -resize 144x144! apple-touch-icon-144x144.png
convert "$1" -background white -alpha off -resize 152x152! apple-touch-icon-152x152.png
convert "$1" -background white -alpha off -resize 180x180! apple-touch-icon-180x180.png
convert "$1" -background white -alpha off -resize 57x57! apple-touch-icon-57x57-precomposed.png
convert "$1" -background white -alpha off -resize 76x76! apple-touch-icon-76x76-precomposed.png
convert "$1" -background white -alpha off -resize 120x120! apple-touch-icon-120x120-precomposed.png
convert "$1" -background white -alpha off -resize 152x152! apple-touch-icon-152x152-precomposed.png
convert "$1" -background white -alpha off -resize 180x180! apple-touch-icon-180x180-precomposed.png
The script above will run on Linux, OS X, or under Cygwin on Windows. The
-background white -alpha off parameters deal with the transparent background of a PNG file. Apple converts a transparent background to black, which may not work well for your particular icon. You can substitute whatever color you wish. The exclamation mark after the size forces the image to a square output file, so if your logo is not square, it will look a little strange. The above resolutions and file name conventions are perhaps overkill, but these are all of the ones that I’ve found in web searches and in the 404 errors on my web site; hopefully these will cover all current and older devices.
Once you have generated all of the icons you will need to upload them to your web site in the location(s) referenced in the
link statements in your web pages, or to the root directory of your web site, which is much more likely for a personal or small business web site. You probably will not be able to use the graphical user interface for your CMS to upload files to the root directory of the site (not the root directory of the server), so the
scp secure copy file program will be the easiest way to do this:
Once you’ve set this up, monitor the 404 redirect portion of your CMS to see if there are any 404 errors for the any of the touch icon files, and address the problem as necessary.
- Written by Bruce Moore
- Hits: 7267
Search Engine Optimization and Analysis for Small Banks and Small Businesses
To prepare for a sales call on a bank in a small Texas town, I plugged the bank’s name into Google--I got a list of many banks, but the one I wanted didn’t appear on the first page, or the second. I couldn’t find anything on this bank until my third Google query. Clearly, this bank had not done the basics of search engine optimization (SEO). Most Texas banks rank at the top of the page for a name query on Google, Bing or both. Unfortunately, some Texas banks cannot be found when searching for them by name on Google and Bing, let alone by “bank city.”
This article is for executives at these banks, for business owners whose business doesn’t show up on a name search in Google and for loan officers trying to help a borrower improve a business’s marketing. The steps outlined in this article would be useful in formulating the tasks in a Statement of Work for the development or maintenance of a web site.
For professionals and businesses that have blogs on other web sites, there is a short discussion of Google Author Tools to help in getting information on your off-website blog postings.
Search engine optimization is one of those things that is easy to do--if you know how to do it. There are thirteen basic steps:
- Register your domain with Google Webmaster Tools
- Register your alternate or old redirected domain(s) with Google Webmaster Tools
- Install a site map on your site
- Register the site map with Google Webmaster Tools
- Set up the robots.txt file on your web site
- Repeat the preceding steps with Bing Webmaster Tools
- Review Google and Bing webmaster tools periodically to identify any errors and to see if the search engines have identified malware on your site (indicating that it has been compromised)
- Make sure that metadata is filled in
- Improve your site with structured data
- Set up Google Author structured data for off-site blogs
- Set up Google Places and Bing Places for Business
- Register with Google Analytics or another analytics provider
- Install Analytics code
Register Your Domain
Purchasing your domain name from Go Daddy, Network Solutions or one of the many web hosting firms does not register the domain name with the various search engine providers--a search engine provider won’t start to scan your website until you register the domain name with them. Registration must be done by someone who has the system authorities to put a small randomly named HTML file into the root web page of the server. The search engine uses this file to prove that the person registering the site is actually the site owner. Once the site is registered, the search engine will start to scan and index it over a period of several days. The sections that follow discuss thing that you should do to control what gets scanned and how to improve your web site to appear higher in search results.
When you register your domain, note that https://yourbank.com, https://www.yourbank.com, and https://www.yourbank.com are all different web sites as far as the search engines are concerned. Decide which one you want the search engine to use in presenting results and identify it as your canonical domain name during the registration process. If you force all traffic to https (a good idea), register only your https domain and make sure to redirect all http traffic on your web site to https.
Register Your Old or Alternate Domains
About ten percent of Texas banks have changed domain names and redirect to a new domain name. Make sure to keep both the new and old domain names registered with each search engine, and make sure to modify the settings on the old domain’s search engine registration so that the search engine knows to point old index references to the new domain name.
Make sure to update the domain name that is used for regulatory reports, as it will be used by third party bank analysis web sites. About 5% of Texas banks have obvious typos in the domain names that are present in the FFIEC database, and another 5% have old and unused domains listed with FFIEC. Part of the algorithm for search rank is based upon other sites linking to your site; if the link is based upon the web site that is listed in FFIEC data, it will point to the wrong location and you won’t get any benefit from the third party link.
Create a Site Map and Register it with Google Webmaster Tools
You’ve probably seen a “site map” link on many web pages and wondered why on earth people put this page out there. It isn’t for humans--it’s for the robots that scan and index your web site. Make sure to generate sitemaps for both text and images, especially if you have relevant graphs or photos of your buildings. Include information about how frequently each page is updated, as this will influence how frequently the search engines scan your site.
For instance, the page with your interest rates should probably show an update frequency of daily or weekly, while the page with your loan application probably would show a monthly or longer update frequency. Figure 1 below shows an example of an automatically generated site map that tells the search engine what URLs are present, the date of last modification, the expected change frequency, and the priority of each page.
Figure 2 below shows an example of the image sitemap for a web site. Notice that this does not include a listing of the logos and stock images for the web site--just the important images for the site. On a bank web site, this might include photos of branches but omit stock photos of office settings.
Once you’ve created the site maps, register them with Google Webmaster Tools. This will tell the search engine robots how often to scan each of the pages on your web site.
Set up the robots.txt File on Your Web Site
The root directory of each web site should contain a robots.txt file--try https://www.google.com/robots.txt. This tells well-behaved robots what parts of your web site to scan and index, and what parts not to scan. At the bottom of the robots.txt file, you should have URLs for your site maps--this tells robots for search engines with whom you haven’t registered where to find your site maps and how frequently to scan and index your site.
It doesn’t make sense for a robot to try to scan and index the Internet banking part of your web site, so that should probably be disallowed. Note: The robots.txt file does not provide security--badly behaved robots can still access any part of your site that is public.
Figure 3 below shows an example of a portion of the Bank of America robots.txt file where the bank has excluded search engine scanning and indexing for a number of login-based portions of the web site and for the mobile version of the web site--they don't want desktop users to stumble upon a version of a page that was designed for a cell phone. If you look at the bottom of the robots.txt file (not shown in the figure) you will find the reference to the sitemap and a comment about the Borneo content management system (CMS) that Bank of America apparently uses and which automatically generated the robots.txt file. The CMS software commonly used by small businesses (Joomla, Wordpress or Drupal) generally does not generate the robots.txt file.
Repeat the Preceding Steps with Bing Webmaster ToolsOnce you’ve completed the steps to register your web site with Google Webmaster Tools, you will have covered the basic set-up for about 75-90% of web searches in the United States. To get most of the remaining searches, register with Bing Webmaster Tools. The process and mechanics are very similar, but getting the site map and robots.txt file set up for Bing is a slightly more tedious and error prone process.
Review Web Master Tools Reports
Once you have your site registered with the various search engines, someone should be assigned to review at least the Google webmaster tools each day, starting with the “Security Issues” section. If your site has been compromised, you will hopefully have found it before the Google robot does; if the Google or Bing robots do find malware on your site, you have an “all hands on deck” level problem.
Don’t be Target and discover the malware weeks after the compromise. Figures 4 and 5 below show the malware reports for Google and Bing webmaster tools respectively.
Both Google and Bing webmaster tools provide information on the number of times your web site’s pages were listed in a search, the average rank and the number of times users clicked on the link for the page. They both also list the keywords used in searches.
Make Sure that Metadata is Filled in
Once you have the basics set up, it is time to turn to the content of your website itself. Use the various webmaster tools to tell you what metadata is missing from your site. At the very least, each page should have a
keywords tag and for images, the
alt tag (this gives a description of the image). Use relevant words—don’t stuff in words that are unrelated to your site, as this will actually hurt your search ranking.
As your site is scanned by the robots, the webmaster tools will start to list the terms that the search engines are using to index the site; if there are concepts and terms that aren’t listed, look at the content of the actual pages and improve the copy to make sure that relevant terms are included in the text of the articles and product descriptions on your site.
description may be used for the synopsis of the web page that Google presents. For example, the search query “loan fee amortization” will probably show the entries in Figure 6 somewhere in the search results. The second item references an article on this web site. The full description tag reads:
This page describes the procedure for calculating the fee amortization and effective yield for loans that involve up-front fees. This is also sometimes called level yield.
Improve your Site with Structured Data
Once you have the content on your site set up and the basic metadata in place, you can start to enhance how your site is displayed by the search engines. To do this, start to set up structured data which is sometimes referred to as microdata. If you Google “bank of the west” you will (probably) see a well organized search result for a Bank of the West web page as the first result, as shown in Figure 7. You may get a California bank or a Texas bank, depending upon what Google thinks you want. In either case the display is probably due to a good implementation of structured data on this web site.
Your structured data should include implementations for the bank, branch locations, hours, key people listed on your web site, products and promotional offers.
- Structured data for an organization.
- Structured data for an address.
- Structured data for hours of operation.
- Structured data for a person.
- Structured data for an product.
- Structured data for an offer.
There are three ways to mark up pages--microdata (recommended by Google), microformats and RDFa. A discussion of the differences is beyond the scope of this article. For small business web sites, the format will probably be determined by the plugin that you select with the exception of the About, Contact and People pages on the site which will probably be coded by hand. For more examples, use the search terms rich snippets, microdata, and structured data.
Set up Google Author Structured Data for Off-site Blogs
Small business owners and professionals who maintain blogs on other web sites should consider setting up Google authorship links. This will alter the search results display to give the name of the author and potentially a photo of the author. Through Google Webmaster Tools, you can get some basic impression and click-through statistics on blog entries where you might otherwise have no meaningful information. To set this up, follow these steps:
- Create a Google+ profile
- Add the sites where you blog in the “Contributor to” section of your profile
- Somewhere in each external blog post, add
<a href=https://plus.google.com/u/0/xxxx?rel=author>A link to your Google+ profile</a>where xxxx... is your Google+ profile ID.
- On your website, install the necessary plug-in to your Joomla, Wordpress or Drupal web site to automatically generate the Google+ link for the author
Once you have this set up, you can use the author stats in Google Webmaster Tools to keep track of the number of times your external blog appears in a Google search, its average position in search results and the number of times people click through to the blog entry. This will help you gauge the effectiveness of your marketing efforts on external web sites, but it will not give you information on the search terms used.
To understand how Google uses authorship in display, Figure 8 below provides an example from the query “loan fee amortization” and the resulting article on this web site. Note the author prefix and the name of the author. In some cases Google will display the photo from the Google+ profile. Note also that in this case, the display synopsis is taken directly from the
description metadata tag.
Set up Google Places and Bing Places for Business
Once your web site is in order, you should begin to look at locality improvements to search and set up Google Places and Bing’s counterpart, Places for Business. This will help for queries like “bank grapevine texas.”
Sign up for Google Analytics or Another Analytics Provider
Once you have the basics of your search engine optimization done, you should sign up with an Analytics provider like Google Analytics, which is free. The steps to authenticate ownership of the site are similar to the steps for setting up Google Webmaster Tools. Once the webmaster has enrolled your site, have one or more people in your marketing department set up to use the web analytics tool to understand how your web site is used.
The web analytics tool should inform your product development and product bundling—the order in which people view the articles on my web site has absolutely influenced my product development plans. How to use web analytics is beyond the scope of this article.
Install Analytics Code
The steps in this article provide the basic search engine optimization steps that will get your bank or business listed at or near the top—when someone is looking for your organization by name. The steps in this article should be viewed as a starting point for search engine optimization.
- Written by Bruce Moore
- Hits: 7374
Email Security Part 2: Digitally Signing Your Email
This is the second in a series of articles on how to secure your email. Securing Your Email Part 1: Verifying the Sender covers the reasons for setting up your email clients to send and receive digitally signed and encrypted email. If you haven't read it, the procedures in this article will be easier to follow if you have already read Part 1.
In this article, we'll go through the process of setting up a private key that you install only on your computer, and a public certificate (public key) that is attached to your email and which others will use to encrypt mail sent to you. Your private key and the certificates should be stored in a password protected file, and generally shouldn't be kept on your computer except where they are installed in the Operating System or your email client, where they are protected by encryption.
If you want to find out more about how all of this works, Crypto: How the Code Rebels Beat the Government Saving Privacy in the Digital Age by Steven Levy is a good non-technical book on how public key encryption works.
This article covers how to obtain an S/MIME certificate and how to install and use it on several major email clients:
- Obtaining an S/MIME Certificate for Your Email Address
- Installing and using the S/MIME Certificate on Thunderbird
- Installing and using the S/MIME Certificate on Microsoft Outlook
- Installing and using the S/MIME Certificate on Mac OS X Email Client
- Installing and using the S/MIME Certificate on an iPhone
Note that some illustrations show “StartCom” certificates. This article was originally written when StartCom was a reliable certificate vendor. In 2016, it was purchased by another vendor and issued some fruadulent certificates; it was subsequently removed as a Certificate Authority from most browsers and email clients. At some point I will go back and update all of these screen captures.
Obtaining an S/MIME Certificate for Your Email Address
There are a number of S/MIME certificate vendors that can provide you with a certificate to use for S/MIME email signing and encryption (kind of a mouthful sentence isn't it). Here are a few that offer free email certificates, although it may be hard to find the free offerings on some sites:
There are numerous other certificate vendors. As a rule, stick to one that offers an "Extended Validation" certificate, even though you won't be using one of these. This generally guarantees that the vendor's Certificate Authority root certificate will be installed as part of the Microsoft, Apple, and Android maintenance streams and that neither you nor the people with whom you correspond will need to accept a root certificate (there is risk in accepting root certificates). There are a couple of "Community Certificate Authority" services, but they generally don't have their root certificates accepted into the operating system maintenance streams.
For the free low-verification (Class 1) certificates, the vendor will send you an email with a link that you need to click on to verify that you are the email owner. If you want to pay for an Individual or Organization Class 2 certificate or an Extended Validation certificate, you will need to supply a driver's licence (or passport) and other information that the vendor will use to verify your identity and authorization to obtain and control the certificates. You pay for the investigation--not the certificate, so make sure that you have all of the documentation together before applying so that they investigation is successful.
The tutorial that follows is for Comodo, the vendor that I have used.
If you are using an Apple, computer, do all of this in Safari rather than Firefox or Chrome, even if those are your normal browsers. If you do this in Safari, it will automatically place the certificates in the Keychain where they are directly usable by the OS X email client. If you do this in Firefox or Chrome, the certificates may stay within the browser's keystore, in which case you will need to export them and import them into the keychain.
Similarly, if you are on Windows, do this under Internet Explorer, as it may place them directly in the Certificate Manager (same thing as Apple's keychain) without any intervention on your part. In either case, you will still need to make an off-computer back-up that is stored in an encrypted file.
- From the home screen, select "Sign Up Now" in the lower left corner
- Wait for the selection list for “Private Key Options” to appear before you start to enter your identification information. Unfortunately, the screen will paint without any indication that the key quality option will appear; while it is doing this, Firefox is generating a random number that it will use to generate a private key and then a “Certificate Request”. It will take Firefox a couple of minutes to generate the private key. If you proceed with entering your personal information, Comodo will come back with an error message that Firefox did not send a Certificate Request. Protect the private key and certificate as you would a password, and make sure to store a backup copy.
- Go to your email and click on the “Click and install Comodo Email Certificate” link.
- Firefox will automatically import the certificate into the Firefox Certificate Manager. If you use Windows Explorer, it will import it into the Windows Certificate Manager.
- It will install the certificate in your browser's keystore. For Safari on OS X, this is shared with the OS X email client--if you restart your email program, you can skip to Installing and using the S/MIME Certificate on Mac OS X Email Client.
- When you get back to the Control Panel, go to the Validations Wizard and validate all of your other email addresses.
- In Firefox, backup the certificates to a USB drive that you can store safely. It will prompt you for a password. Use a strong one. You will use this file to import certificates into Thunderbird, Outlook on your laptop, your iPhone or other devices that you use.
- Note that all subsequent illustrations show “StartCom” certificates. This article was originally written when StartCom was a reliable certificate vendor. In 2016, it was purchased by another vendor and issued some fraudulent certificates; it was subsequently removed as a Certificate Authority from most browsers and email clients. At some point I will go back and update all of these screen captures.
- If you use an OS X machine, you should back up your certificates to a USB drive that you can store safely. Use the keychain access program. You will need to select the private keys and certificates for each email address. In most areas, OS X is the easiest platform for S/MIME, but in this step, it is the hardest and most error prone. Select File->Export Items. It will prompt you for a filename and file type--take the default .p12 file type. When prompted, use a strong password.
- If you use Windows, you should back up your certificates to a USB drive that you can store safely. Use Internet Explorer or run certmgr.msc. The instructions that follow are for Internet Explorer.
- In Internet Explorer, select Options->Content->Certificates
- Next, select Export
- When it prompts, select "yes" to export the private key. It will require a password--use a strong one.
When you have finished generating and backup up your certificates and private keys, you are ready to copy install them on other computers or devices. The next sections show you how to install your certificates and private keys on other devices so that you can digitally sign and encrypt emails on all devices.
Installing and using the S/MIME Certificate on Thunderbird
Installing and signing email on Thunderbird requires installing your private key and certificates, assigning the certificate to use for each email account, and setting the default value for whether or not to digitally sign and/or encrypt each email.
Installing your Private Key and Certificates on Thunderbird
The first step in setting up Thunderbird is to install the certificates that you obtained in the previous step. To do this, go to Edit->Preferences->Advanced->Certificates. You will see a display something like the figure below. Select Import and go through the dialog to find the backup file with your certificate and private key from your USB drive. It will prompt you for the password to open the backup file and then it will import them to the list under "your certificates."
Setting the Certificate to use for Each Email Account
The next step is to go to each email account and select the certificate for that email account and set the defaults that you want to use as in the figure below. The whole point of this exercise is to authenticate your email, so go ahead and check the "Digitally sign messages" box.
If you check the encryption box, understand that it will only work for email recipients for whom you have a certificate--probably not very many people at this point in time. If you CC a bunch of people, you would need certificates for each of the people that you have cc'd. The email is stored unencrypted on your disk drive; the recipient may choose to store it encrypted or unencrypted.
Sending a Signed and/or Encrypted Email
Finally, we are ready to send a signed or encrypted email. Note that if you choose encryption, the sender, recipients and subject line are never encrypted...just the contents. The figure below shows the "send" dialog on Thunderbird--notice the S/MIME pulldown on the toolbar. To change whether or not the email is signed or encrypted, just click on one of the items in the pulldown. If you select "View Security Info" it will give you a dialog box with information on the certificates of the recipients.
Installing and using the S/MIME Certificate on Microsoft Outlook
To sign and encrypt email on Outlook, you must first install your private key and public certificate. In Outlook
- Go to File->Options->Trust Center->Trust Center Settings->Email Security. Put a check mark in the setting to digitally sign emails by default.
- Within Trust Center, go to E-Mail Security and select Import/Export and use the Browse button to locate the .p12 file; enter the password for the certificate backup file and a name. The name doesn't appear to need to match up to anything.
- Accept the default of "medium" for the access level for this private key and certificate. This will prompt you once for each certificate in the file, but it won't give you an indication of the certificate that it is importing.
- If you want to review the certificates that you imported, use enter certmgr.msc in Run Program.
Sending Signed Email
Sending signed email the first time will generate a couple of one-time only promopts. To start off, let's make sure that we have set the defaults:
- Start a new email and then go to File->Properties
- Select Security. The check box for digitally signed should be checked
- When you hit "send" you will get a very cryptic prompt to ask for access the private key that is needed to digitally sign (or encrypt) the email. Select "Allow."
Installing and using the S/MIME Certificate on Mac OS X Email Client
Installing your Private Key and S/MIME Certificate on Mac OS X
The first step in sending digitally signed email is to install your private key and certificate on Mac OS X. To do this, take the key backup file (.p12 file type) and select it from finder. It will prompt you for the password to the backup file. When you enter the password, it will automatically import your private key and certificate into your keychain (keystore) and bring up the Keychain Access application. You do not need to do anything more, though it may be interesting to see all of the keys and certificates in the keychain. If you look around, you will see both the certificate and the private key that you just installed for your email account. If you have received signed email previously, you will see the certificates from those senders.
Sending Signed Email
Since we installed our private key and certificate in the previous step, the "send mail" window changed--it will now have a lock icon and a check-mark icon immediately to the right of the signature selection control as shown in the figure below. The digital signature property is now selected by default but the lock icon will show as unlocked until we enter a recipient from whom we have a certificate.
If you change the signature property, it will stay unchecked for subsequent emails until you change it back to checked.When you send an email the first time after you install your key and certificates, the email client will ask for access to your "keystore." You will need to allow access, otherwise the email client will not be able to sign and/or encrypt the email.
Sending Encrypted Email
To send an encrypted email, enter the email recipient in the "To:" area, and select the lock icon. If it won't lock, that means that you don't have a certificate for this person, and you can't send them encypted email. If you do have a certificate, it will now lock (encrypt) for all email sent to that email address unless you unlock the icon.
It is important to remember that you must have a certificate from someone before you can send them encrypted email. When you receive a digitally signed email from someone, the Mac OS X client will automatically install their certificate in the keystore for you.
Installing and using the S/MIME Certificate on an iPhone
If you haven't already done so, you should make sure to set a lock password on your iPhone so that if you lose your device, your email isn't compromised. Similarly, make sure to set the remote wipe capability.
The hardest part in setting up an iPhone to send digitally signed and encrypted email is getting the certificate backup file onto the iPhone. Here are the steps to do this:
- Export each certificate as an individual backup file.
- Copy the files to the iPhone using one of two methods:
- Copy each certificate file to iCloud drive
- Email it (easy, but probably less secure)
- Select the file and follow the prompts to enter your iPhone lock code followed by the certificate backup password.
Once you have the certificates installed on your phone, you will need to go into settings to set up your email account to use it to send mail.
- Open settings and choose “Accounts and Passwords”.
- Select the account where you want to use the S/MIME certificate.
- Select the email account account again at the right arrow.
- On the account settings screen, open the “Advanced” settings.
- On the Advanced Settings screen, enable S/MIME and select “Sign”.
- On the digital signature screen, select the certificate that you want to use for this email account.
- Written by Bruce Moore
- Hits: 9902