Phishing has become one of the most persistent problems for banks, insurance companies, and other financial services providers. Not because they have weak technical infrastructure — quite the contrary — but because customers are easy to mislead.
Most cyberattacks against banks are not technical attacks. They are trust attacks. The attacker does not need to break encryption or bypass a firewall. In many cases, all they need is a convincing website, a believable domain name, and a customer who is tired, distracted, or in a hurry.
Even the best cybersecurity programme cannot fully compensate for a confused user.
That is why dotBrand top-level domains — custom TLDs where a company's brand name forms the domain extension, such as .barclays, .bnpparibas, or .bradesco — deserve far more strategic attention in financial services than they currently receive. When we reviewed the data closely, the conclusion was clear: financial services providers are not treating Brand TLDs as a marketing gimmick. Over the past decade, they have emerged as one of the few tools available that can reduce fraud by making authenticity structurally easier to verify.
Financial services may be the single best proof that dotBrand domains are evolving from a novelty into a strategic trust layer.
Our sector-wide analysis of dotBrand usage across banks, insurers, credit card networks, and investment firms produced a striking baseline:
Across many other industries, dotBrand TLDs have remained largely unused — often limited to a NIC site and a handful of internal redirects. Financial services, by contrast, has built out real digital infrastructure within brand-controlled namespaces. That makes sense: few sectors have a stronger incentive to reduce fraud and strengthen customer trust.
The financial sector accounts for roughly 10% of all delegated dotBrand TLDs worldwide. The scale of usage varies widely — the largest single dotBrand (Germany's .dvag) has nearly 9,000 domains registered, while many others have fewer than ten. But the overall pattern is one of genuine investment, not tokenism.
The most persistent misunderstanding about dotBrand domains is that they are a marketing initiative. For the financial industry, they are a control mechanism.
Under ICANN's Specification 13 model, a dotBrand operates as a closed namespace. The organisation that owns the TLD is the only entity that can create domains under it. From a cybersecurity perspective, this is a powerful concept: it creates something the public internet usually cannot offer — a domain environment where authenticity is structurally enforceable.
A criminal can register secure-bank-login.com. But they cannot register login.barclays.
This is not about making URLs prettier. It is about reducing the number of ways criminals can imitate a legitimate financial institution online.
One of the more interesting findings is that many dotBrand domains are live but not as standalone websites. The majority are used as deliberate redirects — and this is sometimes dismissed as "half adoption."
That view misses the point. Redirect-based dotBrand deployment is arguably the most sensible path for a highly regulated organisation. It allows institutions to:
%402x.svg){kind=icon}
.com or .co.uk or .com.br infrastructure intact
In practice, this is how most large organisations adopt any structural change: incrementally and with redundancy. In banking, redundancy is not a bug. It is a requirement.
European financial institutions were among the earliest and most aggressive dotBrand users.
Barclays moved its main web presence to home.barclays and its credit card division to home.barclaycard in 2015. This was a textbook example of what dotBrand domains can achieve when deployed properly: they simplify the user experience while reinforcing authenticity. A customer may not understand DNSSEC or certificate pinning. But they can understand one simple rule: if it ends in .barclays, it is Barclays. That message combines security, branding, and user experience. Barclays registered over 120 domains under its TLDs, with specialised addresses like entrepreneurs.barclays for small business banking and ib.barclays for investment banking — each clearly tied to the brand.
BNP Paribas went further by deploying transactional services under dotBrand domains, including its retail banking portal mabanque.bnpparibas (serving approximately 8 million customers) and its corporate site at group.bnpparibas. This demonstrated that Brand TLDs can support not just marketing sites but critical infrastructure where customers log in and manage their accounts. The bank maintained redirection from all legacy domains, ensuring a gradual and reversible migration.
Pictet's deployment is more modest but purposeful: regional entry points (am.pictet, asia.pictet), corporate identity (group.pictet), and specialised content (collection.pictet for cultural initiatives).
From a risk perspective, this is exactly how migration should be done: gradual, controlled, and reversible.
If one financial institution deserves global attention for dotBrand adoption, it is Banco Bradesco. With 217 domains and around 90% active usage, Bradesco uses banco.bradesco as its primary domain and created a structured digital architecture where every major service line has a predictable entry point:
financiamentos.bradesco — loans and financinguniversitario.bradesco — student banking servicesfundacao.bradesco — the bank's charitable foundation
From a cybersecurity perspective, the approach eliminates ambiguity. A customer does not need to ask "is this website real?" The namespace itself answers the question. Bradesco demonstrates what dotBrand adoption looks like when an organisation commits fully and treats it as a platform rather than a novelty.
State Bank of India is a critical case study because it destroys one of the most common objections: "dotBrand domains are too confusing for average users."
SBI migrated online banking to bank.sbi. That is not a niche use case. That is national-scale retail banking. It demonstrates that customers adapt quickly when the institution is consistent and legacy domains are redirected properly.
(Note: The Reserve Bank of India recently ordered banks to move to the bank.in domain, so most active .sbi domains now redirect to subdomains under sbi.bank.in.)
The most extreme dotBrand deployment in the dataset is DVAG (Deutsche Vermögensberatung). The .dvag TLD alone contains around 9,000 registered domains with a near-100% live rate, using a "one domain per advisor" model. Each of the firm's thousands of financial advisors has a personalised domain — such as advisorname.dvag — hosting a branded website with contact details, services, and lead generation.
This is not marketing. It is governance. DVAG created a controlled identity system for thousands of individuals, with consistent branding and central oversight. From a legal and compliance perspective, advisors can have a personalised digital presence while the organisation retains full control over the environment.
Nearly all major U.S. financial institutions own dotBrand TLDs — JPMorgan Chase (.jpmorgan and .chase), Citi (.citi), American Express (.americanexpress and .amex), Visa (.visa), and others. Yet hardly any have migrated flagship consumer websites.
Usage tends to be tactical: internal projects, marketing microsites, and redirects. Legacy .com domains carry decades of consumer trust and SEO value. But phishing risk in North America is not decreasing — which means the strategic case for dotBrand adoption is becoming stronger, not weaker.
Some notable exceptions: Discover Financial used essentially 100% of its 100+ dotBrand domains actively. Allstate and State Farm use dotBrand domains as clean marketing redirects (auto.allstate, claims.allstate).
Looking across the dataset, the institutions that succeeded share common characteristics:
DotBrand domains succeed when they are treated as a trust programme, not a domain registration.
ICANN's next gTLD application window opens in April 2026 — the first opportunity in over a decade for organisations to apply to operate their own top-level domain. The application fee is USD 227,000, with annual fees of approximately USD 25,000.
The timing is relevant because the threat landscape has shifted significantly since the first round in 2012:
In that environment, dotBrand domains offer something rare: a trust signal that is structural, visible, and easy to communicate.
The question for financial institutions is no longer whether Brand TLDs deliver value. The evidence from a decade of deployment suggests they do — and they do it at scale. The strategic question is governance: does the institution have the internal capability to deploy dotBrand domains consistently, manage them as controlled infrastructure, and embed them into customer communication and digital architecture?
Because in finance, trust is not a slogan. It is the product.
What is a dotBrand TLD?A dotBrand TLD is a custom top-level domain that uses a company's brand name as the domain extension — for example, .barclays or .bradesco. Unlike .com, which anyone can register names under, a dotBrand is a closed namespace controlled exclusively by the brand owner under ICANN's Specification 13 rules.
How many financial institutions have dotBrand TLDs?As of late 2025, there are 80+ active Brand TLDs in the financial services sector, with over 16,000 registered second-level domains and more than 10,000 live websites.
How much does it cost to apply for a dotBrand TLD?The application fee for the 2026 round is USD 227,000, with annual ICANN fees of approximately USD 25,000 plus the cost of a technical registry service provider.
When is the next ICANN application round?ICANN's next gTLD application window opens in April 2026, with applications expected to be accepted over a 12–15 week period through July 2026.
Can dotBrand domains really prevent phishing?DotBrand domains do not eliminate phishing entirely, but they create a structurally verifiable trust signal. Only the brand owner can create domains under their TLD, which means customers can be trained with a simple rule: "if it ends in .barclays, it is Barclays." This is far harder to imitate than a .com address.
What is the redirect strategy?Many financial institutions use dotBrand domains as clean, branded redirects to existing website sections — for example, auto.allstate redirecting to the auto insurance page on allstate.com. This allows gradual adoption without disrupting existing infrastructure.
Is it too late to apply for the 2026 round?No. The application window opens in April 2026. Organisations considering an application should begin internal preparation now — including trademark clearance, stakeholder alignment, budget approval, and technical registry service provider selection.
This article is based on Pitch's Financial Services Sector dotBrand TLD Report. For structured guidance on Brand TLD strategy and the 2026 ICANN application round, visit Pitch Academy.
%402x.svg){kind=small}
%402x.svg){kind=icon}
