Glendale Federal Credit Union — NCUA charter 7557 per creditunions.org's listing, with branches in Glendale, Culver City, and Los Angeles since 1951 — runs the app under the package id org.glendalefcu.grip (per its Play Store listing). The data an integrator actually wants sits behind the same member-banking session a member signs into at my.glendalefcu.org: posted balances, cleared and pending activity, scheduled bill payments, internal transfers, mobile-check deposits in flight, monthly statement PDFs, and the card-on/off controls.
This page covers what GFCU holds, the consent route to reach it, and what OpenBanking Studio actually hands you at the end of a build. The audience is the relying app — a PFM, an accountant's portal, a small-business bookkeeping tool — that needs member-permissioned data and runnable code, not a brochure.
Where the data sits inside the app
The Play Store description names most of the surfaces directly. Mapping them to the fields an integrator pulls out the other side:
| Domain | Where it surfaces in the app | Granularity | What an integrator does with it |
|---|---|---|---|
| Balances | Home / accounts screen, low-balance alert config | Per-account, near-real-time | Daily sync; trigger external alerts mirroring the in-app threshold |
| Transactions | Activity tab, with member-added tags, notes, and receipt photos | Per-posting, plus PII metadata when consented | Feed PFM categorization, accounting reconciliation, or underwriting pipelines |
| Bill pay & P2P | "Pay a bill" and "Send money" flows | Per-payment, with payee identity | Reconcile outgoing payments, watch payee changes for fraud signals |
| Internal transfers | "Move money" flow | Per-transfer | Cash-flow modelling between the member's own accounts |
| Mobile RDC | "Deposit a check" with front/back capture | Per-check, image references and a pending→posted status | Surface deposit timing for cash-flow products; gate image references on explicit consent |
| Statements | Documents tab, monthly | PDF, per-account, per-month | Long-window history backfill, tax reporting |
| Card controls | Card tab — turn off, reorder | State + event | Mirror card status into expense tooling or fraud monitoring (read-only by default) |
Authorized routes to that data
1. Member-consented session integration (the spine)
The member grants scoped, written consent to the relying app; the studio binds to the same online-banking flow the GFCU app uses, refreshes the session on the cadence the portal expects, and emits each domain in an FDX-aligned shape. This route is dependable for every surface listed above, does not depend on whether the institution participates in any particular aggregator, and is the default we recommend for builds against a small FCU like GFCU.
2. Aggregator-routed access (Plaid, MX, Akoya, Finicity)
Where a covered aggregator already maps Glendale FCU and returns clean domain data, we route through them — it is faster to stand up and the consent UX is familiar to members. Coverage of small California FCUs varies by aggregator and by quarter, so we test live, per domain, before committing. When coverage is thin we fall back to route 1 transparently.
3. Native member export (backfill only)
The portal lets a member download monthly statement PDFs and CSV-style activity exports. We use this strictly as a backfill source for long historical windows — it is not a sync channel — and pair it with route 1 for the live tail.
For GFCU specifically, the spine is route 1 with FDX-aligned output; route 2 is opportunistic; route 3 backfills history.
The consent basis and where US rules sit
Glendale FCU is a federally chartered, federally insured FCU under NCUA supervision, with the usual federal layer (GLBA for safeguards, Truth-in-Savings on the deposit side) and California's CCPA on the privacy side. The dependable basis the integration rides today is the member's own written authorization, granted to the relying app with a specific scope (the exact domains above), an expiry, and a revocation path the member can hit at any time.
The CFPB's §1033 Personal Financial Data Rights rule was finalized in October 2024, then enjoined and sent back into agency reconsideration in August 2025 (per the Federal Register notice). Even under the original schedule, an FCU of GFCU's asset tier sat in a later phase. The build does not depend on §1033 being in force — the consent grant carries it — but the FDX-aligned shape we emit is forward-compatible with whatever the rule becomes after reconsideration.
Deliverables you receive
- OpenAPI spec for the GFCU member-facing domains — accounts, transactions (with the optional member-tags/notes/receipt-photo fields), pay, transfers, RDC, statements, card status.
- Protocol & auth-flow report documenting the GFCU portal session, OTP/PIN second-factor handling, token-and-cookie lifecycle, and refresh behaviour.
- Runnable reference clients in Python and Node.js for every endpoint in the spec, including the RDC pending-poll loop.
- Automated test suite (pytest + jest) running against a consented test member, covering happy path, MFA challenge, expired-session refresh, and partial-domain consent.
- Interface documentation as Markdown plus a Postman collection a developer can import and run.
- Compliance & retention guidance covering GLBA, CCPA, the studio's consent-log schema, and a data-minimization checklist for the deployed integration.
A look at the request shape
Skeleton, illustrative — the field names and the MFA hook are confirmed against a consented member session during the build, not before it:
# Illustrative — confirmed against a consented GFCU member session during the build.
from openbanking_studio.gfcu import GfcuMemberClient
client = GfcuMemberClient(
portal="https://my.glendalefcu.org",
consent=consent_grant, # signed scope: balances, transactions(with_tags), statements
on_mfa=handle_otp, # GFCU portal can prompt for OTP/PIN on a new device
)
session = client.open_session(member_id=consent_grant.member_id)
for account in client.list_accounts(session):
txns = client.list_transactions(
session,
account_id=account.account_id,
since="2026-02-01",
include_member_tags=True, # surface tags/notes the member added in-app
)
# Emitted in FDX-aligned shape:
# { "postedTimestamp", "amount", "currencyCode": "USD",
# "description", "status", "memberTags": [...], "memberNote": "..." }
# Mobile RDC items expose a status that moves pending -> posted.
# Poll cadence is driven by the relying app (default 15 min while a deposit is pending).
deposits = client.list_pending_deposits(session)
Notes from the engineering side
Three things specific to GFCU that we account for so the relying app does not stub its toe later:
- Member-generated content is PII. The transaction tags, notes, and receipt photos a member adds in the app are not GFCU-side data — they are content the member typed or shot. We scope these as opt-in within the consent grant, and receipt-image surfaces are off by default until the relying app declares it needs them. This keeps the sync minimal and the consent disclosure honest.
- The card-controls path is state-changing. Turn-off and reorder events sit in the same UI tab as read-only card status. The delivered SDK exposes the read paths by default and gates the write paths behind a separate wrapper that routes any action back through GFCU's own MFA — so a runaway automation cannot lock a member's card on the member's behalf.
- Mobile RDC has a moving status. A deposit can sit "pending" for hours and then flip to "posted" with the amount finalised. We tune the polling window short enough to catch that transition for cash-flow products, but long enough not to hammer the portal — a single member usually deposits a handful of checks a month, not a stream.
None of this is a precondition the relying app has to satisfy first. Sandbox or consenting test-member access, NDAs where the relying app's product is sensitive, and the consent-log schema are arranged with you during onboarding as part of the engagement.
Where the work tends to land
- A California PFM onboarding a GFCU member. Pull balances and transactions on a daily sync; mirror the member's low-balance threshold from the app so the PFM's external alert lines up with the in-app one. Two domains, dependable, fast to stand up.
- A small-business bookkeeping app whose owner banks at GFCU. Transactions with the member-added tags and notes flowing into the ledger; receipt photos optional and gated. The build leans on the FDX-aligned transaction shape so the same code paths work when the owner adds a second account at another institution.
- An accountant in Glendale serving GFCU clients at tax time. Programmatic statement-PDF retrieval per member, archived per the studio's retention guidance. Native export carries the historical window; route 1 keeps the current month current.
How we price and run the build
The price for a build like this starts at $300, and what you pay buys runnable code — not a brochure. You can hand us the requirement, take delivery of the source for the GFCU surfaces you actually need, run it on your own infrastructure, and settle the $300 invoice once the build matches what you asked for. You can also skip standing it up at all: we host the endpoints, and you pay only when calls run, no upfront fee. Delivery cycle on either shape is one to two weeks. Tell us which surfaces you want and we will pick the path with you.
What the app's surfaces look like
The screens below are the public Play Store captures — what an integrator sees when scoping the route. Tap to enlarge.
Peers in the US credit-union mobile-banking landscape
The data shape carries cleanly across the US credit-union sector — the same balances/transactions/RDC/statements/card-controls quartet shows up under different brands. Relying apps building a credit-union integration usually have one or more of these in scope alongside GFCU. Names listed neutrally, no ranking implied:
- Alliant Credit Union Mobile — out-of-state digital-first FCU; balance-preview and credit-score widgets sit in the same shape as GFCU's home screen.
- SchoolsFirst FCU Mobile — California neighbour at a much larger asset tier, education-employee charter; useful comparison for transaction volume.
- Logix Federal Credit Union Mobile — Burbank-based, in GFCU's immediate geographic footprint; overlapping member base in some households.
- Patelco Credit Union Mobile — northern California peer, mid-size; broad product surface including mortgages and auto.
- UNIFY Financial Credit Union Mobile — multi-state FCU that also runs a Glendale branch; same retail-banking surface.
- Kinecta Federal Credit Union Mobile — southern California peer with a similar deposit and card product mix.
- Navy Federal Credit Union — much larger, but the integratable domains overlap exactly: balances, transactions, RDC, statements.
- PenFed Mobile — DC-based, large FCU; comparable product surface and a similar consent flow.
- BECU Mobile — Washington-state community FCU; useful aggregator-coverage comparison for the same domains.
- Eastman Credit Union Mobile — small/mid FCU outside California with a member-focused app; close functional twin to GFCU.
Questions integrators usually ask first
Does GFCU Mobile Banking show up in Plaid or another aggregator today?
Aggregator coverage of small California FCUs varies by aggregator and by quarter. Before we commit to a route, we run a live test against a consented GFCU member through Plaid, MX, and Akoya to see who covers the institution and which data domains come back clean. If coverage is partial or missing, the build falls back to direct member-consented session integration against the GFCU member portal, which is dependable regardless of the aggregator footprint.
Can the integration capture the tags, notes, and receipt photos members add to their transactions?
Yes — those fields are member-generated content, so we treat them as PII inside the consent scope. The default delivery exposes tags and notes; receipt-image surfaces are off by default and only fire when the consent grant explicitly includes them. This keeps the sync minimal until the relying app actually needs the image references.
Where does CFPB §1033 sit for an integration against a small California credit union right now?
The Personal Financial Data Rights rule was finalized in October 2024, then enjoined and sent back into agency reconsideration in August 2025 per the Federal Register notice. Even under the original schedule, Glendale FCU's asset tier put it on a later compliance phase. The build does not depend on §1033 being in force — the member's own authorization is the dependable basis, and the FDX-aligned shape we deliver is forward-compatible with whatever the rule becomes.
If a member toggles their debit card off through the app, will the integration see that state change?
Yes, the card on/off state is one of the surfaces we expose, polled at a cadence the relying app chooses. The wrapper marks it read-only by default — the delivered SDK reads card status but will not toggle it on a member's behalf unless you explicitly opt into the gated write-channel and route the action back through GFCU's own MFA.
How this brief was put together
Sources opened for the institutional facts, the regulator pieces, and the route-1 mechanics:
- Glendale FCU member services page — the in-portal surfaces (deposits, transfers, statements, card tools) named the way the credit union names them.
- creditunions.org institution listing — NCUA charter number, asset peer group, founding year.
- Federal Register, Personal Financial Data Rights Reconsideration (Aug 2025) — the §1033 status anchor.
- Cozen O'Connor alert: §1033 Compliance Date — Enjoined and Under Reconsideration — confirmation that the rule sits stayed pending reconsideration.
Mapping reviewed by the OpenBanking Studio integration desk, 21 May 2026.
App profile (appendix)
App name: GFCU Mobile Banking. Publisher: Glendale Federal Credit Union. Android package id: org.glendalefcu.grip (per Play Store). iOS App Store id: 1532783265 (per the App Store listing). Category: Finance — credit union mobile banking. Headline features per its store description: account balances and low-balance alerts; transactions with member-added tags, notes, and receipt photos; bill pay and P2P; internal transfers; mobile remote deposit capture; monthly statements; debit-card lock and reorder; branch and ATM locator. Institution profile: federally chartered, federally insured FCU, NCUA charter 7557, headquartered in Glendale, California, in operation since 1951, with branches in Glendale, Culver City, and a Los Angeles office (per creditunions.org and glendalefcu.org). This appendix is neutral factual recap; nothing here is asserted beyond what its sources say.