I’m done with credit unions. They just create the illusion of a small org but then farm you out to big companies via outsourcing anyway.

• Most credit unions have outsourced just about every aspect of their business. They are like shell companies all working as many different façades to the same giant corporations. CUs in-house expertise doesn’t go far beyond their branding and marketing. Your sensitive financial info gets shared around with a handful of giant corporations while giving the illusion that you have the privacy benefits of a small CU.
  • billpay outsourced to 1 or 2 different billpay services nationwide
  • monthly statement generation: outsourced to the same few corps
  • statement printing: outsourced, then they charge you for it
• Credit unions spam the shit out of whatever email address you supply, thus enabling all entities handling the email to see where you bank each time the CU decides to spam you. Commercial banks are better on this in my experience. I think commercial banks have calculated that spam just angers people and drives them off, whereas credit unions are either not diligent enough to make that calculation or they are assuming their small org appearance will go a long way in obtaining forgiveness.
• Most credit unions have put their website on Cloudflare in the past few years. Which means:
  • Consumers are generally forced to expose their account credentials to a privacy-abusing tech giant (while agreeing to be accountable for damage stemming from credential leakage)
  • Consumers are generally forced to expose to their credit union their approximate physical location every single time they connect to the website as a consequence of Cloudflare. Which means if they move outside of the CUs service area some CUs will notice that and even freeze/lock the account. They tend to admit directly in their privacy policy that they collect IP addresses specifically for geolocation tracking of their customers.
  • Consumers are generally forced to expose to their ISP where they bank as a consequence of Cloudflare. And considering Trump overturned an Obama policy that required ISPs to obtain consent for collecting and selling customer personal data, there is nothing to stop your ISP from selling info about where you bank to data brokers and debt collectors. Biden did not reverse Trump’s privacy sabotage.
  • Cloudflare can at any moment decide to block you for any reason arbitrarily, and suddenly your web access to your money is gone.
  • Consumers who are behind CGNAT outside of their control are often blocked by Cloudflare. If a snot-nose script kiddie in your CGNAT pool decides to scrape some websites, CF’s excessive protectionism might kick in and block the IP which could go to you next, and you lose access to your money because CF overreacted to a harmless snotnose kid.

Being free from Cloudflare sometimes means you can login over Tor and avoid most of the problems above. OTOH many commercial banks also block Tor increasingly more frequently lately (because they also want to track your physical whereabouts). There may be some Cloudflare-free CUs that still permit Tor logins though it’s becoming harder to find them.

Gratis paper statements are important more than you realise:

If you cannot find a bank or CU that gives you the privacy of Tor, the best feature to look for is gratis paper statements and paper checks so you can scrap the website and take back your privacy. It’s more common to find gratis paper statements from banks than CUs. As enshitification of the web proliferates and more FIs join Cloudflare, gratis paper statements is an important safety net so you can ditch their tech the moment it goes sour.

Regarding apps:

Credit unions do not write their own software. You have just a few closed-source Google Playstore banking app makers who all the credit unions outsource to. Whereas every commercial bank reinvents the wheel with their own implementation. For me it’s a shitshow no matter what. I am not going to enter Google Playstore and tell Google where I bank and let Google track exactly which software version I have which also reveals what vulns I inherit, to then run a closed-source app that snoops on me in countless unknown ways. Fuck all that.