At Credit Union Futures, Ross wrote a nice response to the book The Age of Surveillance Capitalism. I encourage you to read his post.
Unfortunately I don’t know any examples of credit unions doing anything better than the banks when it comes to marketing to their members or curtailing the growing abuses of emerging technology.
Coast Capital Savings never used to engage in email marketing. I never received emails from them except if it was from an employee whom I had been dealing with personally. I always assumed this was a good thing because email is an insecure medium.
This changed on Nov. 23, 2016 with a mass email from CEO Don Coulter encouraging members to vote in the 2016 vote to become a federal credit union. The CEO should not have been meddling in the governance issues of the members, but that’s another matter.
The marketing department got involved in January 2018 when members received the first mass marketing email, offering $10000 in prizes to members who would be willing to chat with them about retirement. The fine print was meant to be reassuring:
“Your privacy is important to us. … Coast Capital Savings email or text messages do not contain links or non-secure web access requiring them to enter their personal or confidential information.”
Perhaps you can guess what was attention-grabbing about this email. At the top was a link to “Sign in,” which took the reader to a web page that invited them to enter their card number and PIN. It should go without saying that members should be trained not to click on email links and then enter their banking information.
This continued for five more marketing emails until members received an email in November (still 2018) with the following worrisome notice:
“We’re sharing this important message to make you aware of a fraudulent email and text that are currently circulating claiming to be from Coast Capital Savings.
Please be advised that Coast Capital Savings would NEVER send you a link via text or email to request your account number, password, …”
Nevertheless, a mere six days later, another marketing email message invited members to click a link to “Sign in”. Of course, we must assume that the email was from Coast Capital. It looked legit…
On December 10, 2018, members received a “Fraud Alert Update” email that perhaps a child would have found reassuring. In language that seems more like it was written by marketing communications than by technical auditors, they said:
“We want to assure you that Coast Capital’s systems are safe and secure.”
Perhaps they were trying to get ahead of the news cycle. It wasn’t until February 4, 2019 that this story broke:
Cyber criminals target local bank customers and wipe out savings
Logan Hill, 14, was devastated to recently find his savings account wiped out – $1,400 of his hard earned money collected from delivering the North Shore News. He was one of more than 140 Coast Capital Savings customers whose accounts were breached after attacks by cyber thieves.
A Coast Capital spokesman said: “The cyberattacks occurred in late 2018 and targeted customers through phishing emails and a brute force attack…”
Also see this article: Cyber thieves make off with hundreds of thousands of dollars in attack targeting Coast Capital Savings
The point of my chronicle is that Coast Capital engaged in their email marketing campaign with no regard for the insecure nature of email, and with no effort to educate members about what it’s like to be on the receiving end of a phishing attack. It will look authentic, and yet the reader must learn to resist clicking! Perhaps it was an easier threat to brush off back in the day when phishing emails would be full of bad grammar and spelling. Times are changing. Coast Capital’s only initiative on this matter was to insert the lawyerly fine-print that I quoted above, weakly implying that clinking on a link contained in an email could be perilous.
Coast Capital is not unique in this regard. Vancity Savings Credit Union started using unsolicited email in December 2017 to notify members that the member’s monthly statement was now available. These emails were different because they contained only plain text (no links to click on), which is a good thing. However, they nevertheless still contained various instructions to members. The problem remained: If you teach members to trust what they read in an email that purports to be from their financial institution, they’re going fall for the next phishing scam that they encounter.
Then in September 2019, Vancity, too, adopted the full-colour HTML marketing mass-email, with lots of links to click on. And if you clicked on the Vancity logo that appeared at the top of the email, you could enter your card number and PIN to log in. And to remind you, this is NOT recommended practice!
Here is an example (from March 2020) of Vancity contradicting its own advice.
So I don’t see anything commendable about how these credit unions have responded to the availability and allure of corporate marketing tools. They have engaged in the type of work that presumably justifies the departmental budget.
Does the marketing department have a role to play at credit unions? Certainly yes, but the messages to their members should surely be different that what the banks would want to say to their clients.
Of course, the problem at Coast Capital is that the Board wants to marginalize the members’ involvement in their credit union–to treat them like customers. The credit union is being cultivated as an asset of the management, the Board, and the eventual new owners who will be the Class D equity shareholders (outside investors).
The broader issue is about how credit unions respond to the changing technological landscape. Let me remind you about my previous blog post in which I described how, in their desire to bring new online banking functionality to their members, Coast Capital did not think it was worth discussing that they would now be storing members’ financial information on US soil, subject to US law.
So in the age of surveillance capitalism, there’s currently no reason to think that credit unions will model the best corporate practices with respect to use of their members information.