Reaching account data behind FedTrust Federal Credit Union's member app

FedTrust Federal Credit Union runs its members' accounts on the It'sMe247 online-banking core, with CU*TALK phone banking alongside it — both visible on the credit union's own member-services pages. It is a small, long-established institution: about 4,900 members and roughly $40M in assets per the CreditUnions.org listing, headquartered in Memphis, Tennessee, NCUA-insured, formerly Federal Building Federal Credit Union. The mobile app is a thin front end over that same core. The data an integrator wants — balances, certificate maturities, loan due dates, card activity, mobile-deposit status — already moves through one authenticated session. Reaching it is the whole job here, and it is a job we deliver, not a feasibility question.

The bottom line: this is a single authenticated session over a well-known credit-union core, not a sprawl of disconnected systems. The route we would actually take is member-consented interface integration of that It'sMe247 / mobile-app session, with the card-control and remote-deposit sub-flows modelled on their own. That keeps balances, history and deposit status in one normalized shape.

What member data the app surfaces

Getting to the data: the routes that apply

Member-consented interface integration (recommended)

The member authorizes access to their own FedTrust accounts; we drive the It'sMe247 / mobile-app session the way the app does and read the same ledger responses. Reachable: everything in the table above. Effort is moderate — the auth chain and sub-account mapping carry most of it. Durability is good for a CU*Answers core, which changes on a predictable cadence; we set up the consent capture and the session handling with you during onboarding. This is the spine we would build on.

Protocol analysis of the authenticated traffic

Where a member-driven session is awkward for a use case, we document the request/response contract directly — endpoints, token lifetime, error envelopes — and hand back an implementation against it. Same reachable data, more durable to client-side cosmetic changes, slightly more analysis up front. Often paired with the route above rather than used alone.

Native export as a fill-in

It'sMe247 lets members download statement and transaction files. That covers history well but misses live balances, deposit status and card state, so we treat it as a backstop for reconciliation, not the primary feed.

What you receive

Concrete artifacts, tied to FedTrust's actual surfaces:

• An OpenAPI specification covering the session, account-summary, certificate, loan, card, transaction-history and remote-deposit calls as we mapped them.
• A protocol & auth-flow report: the It'sMe247 login chain, member-number and credential handling, OTP step, session token lifetime and refresh, and the error envelopes the core returns.
• Runnable source for the key endpoints in Python and Node.js — authenticate, list sub-accounts, pull balances and history, read certificate maturities and loan due dates, check deposit status.
• Automated tests against recorded fixtures so a CU*Answers front-end change is caught, not discovered in production.
• Interface documentation and data-retention guidance written around member-consent records.

A look at the session and ledger calls

Illustrative shape, confirmed and pinned down during the build — field names and the OTP step are verified against live responses, not assumed:

POST /itsme247/auth/session
  { "member_number": "<cu>", "credential": "<secret>", "device": "<binding>" }
-> 200 { "session": "<token>", "otp_required": true, "expires_in": 900 }

POST /itsme247/auth/otp
  { "session": "<token>", "code": "<6-digit>" }
-> 200 { "session": "<token>", "expires_in": 1800 }

GET /itsme247/accounts?include=balances,certificates,loans
  Authorization: Session <token>
-> 200 {
     "member": "<masked>",
     "subaccounts": [
       { "id": "S0",  "type": "share",        "balance": 0.00, "available": 0.00 },
       { "id": "S7",  "type": "certificate",  "balance": 0.00, "rate": 0.00,
         "term_months": 12, "maturity": "YYYY-MM-DD" },
       { "id": "L1",  "type": "loan",         "balance": 0.00, "next_due": "YYYY-MM-DD",
         "payment": 0.00 } ] }

# remote deposit is a separate sub-flow, polled on its own:
GET /rdc/deposits?since=YYYY-MM-DD   -> status in {submitted,accepted,held,cleared,returned}

# token expiry returns a typed envelope, not an HTML redirect:
401 { "error": "session_expired" }  -> re-run /auth/session, resume

The remote-deposit poll is deliberately separate from the ledger read because a check can be accepted before it moves the balance; collapsing the two loses that signal.

Engineering realities on the It'sMe247 core

Two things we account for and handle, so they do not become surprises:

• Sub-account sprawl under one member number. A single FedTrust membership can hold a share account, a share-draft account, Christmas Club, ISMA, an IRA and more than one certificate product at once. We normalize those sub-account IDs to stable keys so a balance never lands on the wrong line when the core reorders them.
• Remote deposit and card controls live off the core. Mobile check deposit runs through its own capture-and-status sub-flow, and card lock plus activity notifications sit on the card processor, not the It'sMe247 ledger. We model these as separate services with their own polling, and the shipped test fixtures flag a CU*Answers front-end refresh before it reaches your integration. Access to a consenting member account or sandbox is arranged with you at onboarding.

Authorization and the rules around credit-union data

FedTrust is a federally chartered, NCUA-insured credit union, so the dependable basis for access is the member's own authorization to their accounts, handled under GLBA and Reg E privacy terms. We work consented and logged: consent scope is recorded, the member can revoke, access is data-minimized to the domains a use case needs, and NDAs are signed where the engagement calls for them. The CFPB Personal Financial Data Rights rule (12 CFR Part 1033) is not in force — enforcement is enjoined and the rule is back with the agency for reconsideration — so we treat it as where credit-union data sharing may head, not as today's governing framework. Designs we ship lean on member consent now and stay adjustable if that rulemaking lands.

How integrators use it

• A personal-finance app aggregates a member's FedTrust share, certificate and loan balances nightly so the member sees their full position in one place.
• A lender, with the member consenting, reads share-draft history plus certificate and loan balances for an asset-and-income check during underwriting.
• A bookkeeping tool syncs share-draft transactions for a member who runs a small operation, reconciling against posted items and running balance.
• A member-facing alerting service watches the remote-deposit sub-flow and notifies when a check moves from accepted to cleared or returned.

Screens from the app

Store screenshots, used here only to identify the surfaces mapped above.

Other credit-union apps in the same integration space

Same category, useful when a single integration needs to span more than one credit union:

• Navy Federal Credit Union — large member base; balances, transactions, loans and cards behind an authenticated app.
• PenFed Credit Union — checking, savings, loans and card data under a member login.
• Alliant Credit Union — digital-first credit union with balances, bill pay and mobile deposit.
• BECU — Washington-region credit union with account, loan and card surfaces in-app.
• First Tech Federal Credit Union — technology-sector membership; standard deposit and loan ledger.
• DCU (Digital Federal Credit Union) — savings, checking, loan and card data via its mobile app.
• America First Credit Union — accounts, transfers and card controls behind member auth.
• SchoolsFirst FCU — education-sector credit union with comparable account and loan data.

What we checked

This mapping was put together in May 2026 from FedTrust's own member-services pages (the It'sMe247 and CU*TALK references, account products and the certificate set), the iOS App Store listing for the app's feature list and version, the CreditUnions.org profile for size and charter background, and the CFPB's own reconsideration notice for the §1033 status. Sources opened:

• fedtrustfcu.com/member-services — products, It'sMe247, CU*TALK
• App Store listing — features, version
• CreditUnions.org profile — size, charter history
• CFPB §1033 reconsideration — current status

OpenBanking Studio · integration desk mapping, May 2026.

Questions integrators ask about FedTrust

Which accounts and balances are reachable — do the share certificates and the ScoreCard Visa come through?

Yes. The It'sMe247 session exposes the full membership: share and share-draft balances and dividends, the certificate products (Convenient Money, Simple Saver, regular share certificates) with their maturity dates, Christmas Club, ISMA and IRA sub-accounts, loan balances and payment due dates, and the Visa Platinum ScoreCard balance, due date and recent activity. We normalize the sub-account spread under one member number so each balance maps cleanly.

Does the work run through It'sMe247 or the mobile app traffic directly?

Both are on the table. The mobile app is a thin client over the same CU*Answers core that It'sMe247 serves, so we model the authenticated session and ledger calls once and reach them from whichever client is more stable for your use. Card lock and notification controls sit on a separate card-processor surface and are scoped on their own.

How is mobile check deposit exposed, and can deposit history be synced?

Remote deposit is a distinct sub-flow from the balance ledger — submission and status move through their own endpoints. We map deposit submission, the hold and clear status transitions and the deposit history list separately, so a sync can report a check as submitted, accepted or cleared rather than only showing the resulting balance change.

What governs access to an NCUA credit union's member data right now?

FedTrust is a federally chartered, NCUA-insured credit union, so the dependable basis is the member's own authorization to their accounts under GLBA and Reg E privacy terms. The CFPB Personal Financial Data Rights rule (12 CFR Part 1033) is not in force — enforcement is enjoined and the rule is back with the agency for reconsideration — so we treat it as where credit-union data sharing may head, not as today's governing framework.

Source for the It'sMe247 session and the remote-deposit endpoints is delivered from $300, billed only after you have it and are satisfied with a one-to-two-week build; if you would rather not run anything, our hosted endpoints are billed per call with nothing upfront. Tell us the app name and what you need from its data at /contact.html and we handle the access, the protocol work and the documentation.