IMPORTANT NOTE: When It’s Me 247 was updated in 2021, the “See” option shown on here was made unavailable.
There are two major points to consider when thinking about allowing members to see information beyond the account to which they are actually logged in. Both extend beyond online banking to consider a financial institution’s role and responsibility in protecting member private data via all access channels, from the teller line to a back office employee answering a phone call.
(1) How does a credit union generally recommend or facilitate a member giving access to their private information to others?
Whether via online banking or across an MSR's desk, a credit union has to remember that their actions imply that they consider and warrant that the way the member uses the account is safe and sound. Then they have to make sure the member always takes the responsibility for their actions if they decide to go outside of best practice (e.g. sharing a PIN from a debit card, posting online access on a note pad and leaving it on the family computer, etc.).
Online access is no different than a person requesting access or information at the teller line. It needs to be locked down and challenged because the CU is complicit in giving the access. We have heard of online banking systems that auto-grant access to members as long as they enter an account number and password. But these systems are actually endorsing practices a credit union would likely never grant at a teller line or over a phone. It is even more problematic that the person who signs on to a membership can see the entire membership relationship, whereas when talking to a CU representative, the CU representative can filter access by suffix.
Certainly convenience is to be balanced here. But it is not convenient to have long passwords. It is not convenient to have security questions or layered security. It is not convenient to have many of the things that we are required to do to make sure the member takes the proper steps to indemnify and clarify how much risk they are taking with their credit union accounts. If it was all about convenience, there would be no controls at all.
The member is the ultimate security officer, and even in a situation where the membership is seen as "joint," the household in this case needs a single security/authentication policy and administrator. Someone at the member’s household has to make the call; otherwise the CU finds themselves in the middle of divorce, family issues, bankruptcy, and, in the case of businesses, employee firings, employee distrust, and employee oversight.
Note: CU*BASE does not offer the automation of Joint Memberships (one owner who is joint on all sub-accounts automatically) – not in teller, phone, or any other channel, including online banking. We have envisioned making changes to control par for joint memberships, alter our voting software for joint memberships, etc. But we have no real plans as of yet to automate this concept for online banking.
A development project is underway to allow members to approve See and Jump access via PIB controls. This would allow members to grant access to their accounts without calling the credit union. (Watch the Kitchen for status updates on this future development project.)
(2) How might a business or even a member view giving non-owners access to the online banking capabilities?
Now this is a totally different ball game. The most common example of this is an organizational membership where multiple employees need to access the account for various purposes. Handling this via online banking tools is on a par with writing a software product for your CU to manage employee access to the credit union's data. It requires multiple trusted individual access/authentication rules. It also requires multiple levels of control, to restrict one person's access to basic view-only functions, another person's to perform limited transaction sets, and still another person who is trusted to complete any task on the membership's behalf. And with more complexity and flexibility comes more security and the need for even greater care to protect private information.
Note: In a separate development project, we are considering adding the ability for a single membership to allow multiple users each to have an individual user ID and password to the same membership account, with varying levels of access privileges. For example, Level 1 access privileges might allow a person to see basic account data but not perform any actions. Level 2 would allow same-member transfers but little else. Level 3 would be full access, allowing inter-member transfers, A2A, bill pay, etc. Each trusted individual would have their own unique sign on ID/password and security questions, and their access would be logged. The primary membership owner would be the administrator of the setup and maintenance of trusted individuals, with the potential of their being able to grant administrator-level privileges to others as well. There would be an indemnification agreement for the primary member to activate and set up the first additional trusted individual. (Watch the Kitchen for status updates on this future development project.)