On the Bank of America website, they have "Sign-in" area on their homepage, but the homepage is NOT on a SSL!?!?? The <FORM> that that submits the login information is submitted to a secure site, but doesn't the entire transaction have to take place on a SSL in order for it to be secure?

http://www.bankofamerica.com/

I have some clients that would like to be able to put a login area on their homepage, but I've been telling them they can't unless the homepage is on a SSL (https://)... is that correct?