Attn: US Credit Union users

Like many others, I gravitated towards Credit Unions w/ perks like refunding ATM fees, a large network of ATMs and the ability to bank at virtually any other credit union.

Since they are not-for-profits, they are not incentivized to sell/aggregate/harvest my personal data…

…Or so I thought.

A new rule (as of 5/1/2025) across all Co-Op Credit Unions (+5,000 branches) requires out-of-state users upload their government ID and a real-time photo of themselves every time they go to the teller. The two most affected parties that I can see are people that kept their old Credit Union when they moved out of state, as well as those signed up for online credit unions with an out-of-state home branch.

I could not see the biometric vendor’s privacy policy (you have to give your banking info + SSN before they share that smh), but they do have another privacy policy up-front that is a doozy:

By using IDCheck, you consent to the Shared Branch Credit Union and its service providers and any third party financial institution that will facilitate the transaction, including the service provider that will collect, process, and retain your biometric information and identifiers (the “Biometric Service Provider”) and the provider of the IDCheck mobile application (the “Mobile Service Provider”) to collect, process, generate, use, and retain your personal information, including: biometric information; biometric identifiers; facial image; facial geometry; name; social security number; driver’s license information; address; date of birth; and any other personal information that you provide or that is otherwise obtained or developed about you.

Separately, the mobile service provider is the Co-Op Network (now doing business as Valera), and their privacy policy does not specify a limit to their retention policy and insinuates that they plan on selling your data in the future:

(Emphasis mines)

Right to opt-out of the sale or sharing of Personal Information:

We do not currently, nor have we in the preceding 12 months, sold or shared (in this context, share means use of your Personal Information for cross-contextual behavioral advertising) your Personal Information. We also do not knowingly sell or share the Personal Information of individuals under the age of 16 or as required by other applicable law.

Edit: My understanding is that the Co-Op/Valera privacy policy applies to ALL transactions done through a shared ATM/branch actually. At best, it seems non-committal around data retention and selling data, but from my perspective, it is the antithesis of what Credit Unions stand for, and is a key first step to compiling data points and creating lucrative profiles of members to sell.

The process/privacy policy can be viewed here:

and the scope of affected banks can be viewed by Googling idcheck credit union

This is so disappointing. I’m not sure how credit unions are structured in the U.S. but as a member I wonder if there’s a way you can voice your concerns beyond just submitting a complaint to some low-level manager?

Did they notify you before this change of terms? They have to, don’t they? I’m also a credit union member and I know of no change of terms taking effect this month.

This appears to be a change to a B2B service from Co-op Solutions (now renamed Velera after a merger). Presumably many US credit unions are not impacted.

Valera/Co-Op Solutions is the company providing the back-end so that credit union can communicate with each other.

For example, any time you try to find/bank with/use a branch or ATM not owned by your CU, my understanding is that the integration uses Co-Op Solutions/Valera as a back-end.

I don’t disagree that it is a B2B relationship, but the concern is that it is Valera/Co-Op Solutions ↔ all other Credit Unions.

The biometrics’ specific requirements currently only apply to out-of-state credit union transactions, but I am realizing now that the Valera privacy policy likely applies to any transaction that takes place outside of your Credit Union’s ATMs/branch? Please chime in if you have evidence to the contrary tho.

I submitted the info to a news media corporation to try and get more eyeballs on it.

I might need to clarify a bit more in my original post. The biometric requirements are only when you bank with an out-of-state branch. However, my understanding of the “We do not currently sell your data…” privacy policy from Valera potentially applies to all transactions that use the Co-Op network (ie: surcharge free ATMs or accessing your account at a different CU that is part of the Co-Op/Valera network)

It may not be obvious, but the network is doing this because it limits fraud between federated members.

Say I have a relationship with a 3 branch credit union. What prevents someone appearing at a different credit union in another timezone, saying they are me, with a doctored passport and need to empty my account to pay for a sick relative?

I’m surprised the rule doesn’t apply to in-state transactions. The US has some rather large states.