Online and Mobile Banking Resources

1. Why is CUA upgrading the digital banking system?

CUA and its IT vendor are committed to continually evolving and improving the capabilities of the digital banking system, with the goal of becoming the best digital banking system in the Canadian market.

This is an essential upgrade to ensure the digital banking system is in alignment with modern security and authentication standards via Multi-Factor Authentication (MFA). MFA is an important digital banking enhancement to help protect members from fraud and unauthorized access of their accounts. The implementation of brings the digital banking system in line with industry best practices for authentication standards.

The Aviso Wealth integration and password reveal button are two features that members have been anticipating and requesting. They add greater functionality for members who would like to view their investments directly in digital banking and improve the ease of logging in to the system.  

2. When is this change taking place?

The system upgrade is taking place on Wednesday, October 29th, between 1:00 a.m. and 8:30 a.m.  During this time, you will not be able to access the CUA website, online banking via the website or the mobile app. The first time you log in to online banking after 8:30 a.m. on Wednesday, October 29th, you will be prompted to set up Multi-Factor Authentication (MFA). 

1. What is MFA?

Multi-Factor Authentication or MFA is a security step that entails another layer of verification (which is also called a “factor”), after you provided your initial credentials of your username and password, in order to prove your identity before gaining access to an account or system. MFA provides an extra layer of protection against unauthorized access. This second factor beyond a username and password at login significantly reduced the risk of account compromise from phishing, credential stuffing or other password-based cyber-attacks. Even in situations where a password has been exposed, an unauthorized party is unable to access the account without the additional factor. A recent Microsoft study showed that MFA reduces the risk of unauthorized account access by 99%.

This is an essential upgrade to ensure the digital banking system is in alignment with modern security and authentication standards via Multi-Factor Authentication (MFA). MFA is an important digital banking enhancement to help protect members from fraud and unauthorized access of their accounts. The implementation of brings the digital banking system in line with industry best practices for authentication standards.

2. How do I register for MFA?

If you use the mobile app, you will first need to ensure your app is updated to the latest version. If you have automatic updates turned on in your device, this will happen automatically. If not, when you open the app, you will be prompted to update to the latest version. You will be required to do so before you can log in.

You will complete your login using your current username and password. Once successfully authenticated by password, you will be prompted to register for MFA using one of the following options: push notification, SMS text message, voice call or web authentication. These are described in question #4 below. Once the registration is complete, you will be given the option to register your device as a trusted device, which allows you to bypass MFA in future login sessions on that specific device.

3. What does the term push notification mean?

A push notification is a common tool used to send a secure message directly to your mobile app. The term “push” means the message is sent automatically to your mobile device, and the “notification” is the message that appears on your screen.

With CUA’s mobile app, after you enter your username and password, you’ll receive a notification asking you to approve or decline the login attempt with a single tap. It’s fast, secure and easy to do. This is also described in question #4 below

4. What is the difference between the different MFA methods?

There are four different multi-factor authentication (MFA) methods available:

1. Push notification (recommended option) sends a prompt to your mobile device via the CUA banking app. This allows you to approve or decline the login attempt with a single tap – it’s fast, secure and easy to do. CUA highly recommends using push notifications for your MFA method due to its ease and speed.

2. SMS authentication sends a one-time passcode via text message, which you must manually enter.

3. Voice call authentication delivers a spoken code through an automated phone call. This is often used as an alternative when SMS is unavailable.

4. Web authentication typically involves using a security key or device-based biometrics (like fingerprint or facial recognition) directly within a browser session. CUA does not recommend using this method due to the complexity to set up.

5. Where do push notifications come from?

Push notifications will be delivered through the mobile app. You will receive the notification directly within the app during the login process, making it a seamless and secure authentication experience.

6. How does the MFA voice call authentication option work for members who only have landlines? Will landline home phone numbers have to be verified in the banking system?

The voice call authentication option available to you as part of MFA works for any phone number where you can receive a voice call – this can be a landline or mobile phone number. If voice authentication is selected as your preferred MFA method, you will receive a phone call where an automated voice reads out your verification code.

7. Will email one-time passcode (OTP) still be available as an option after MFA is implemented?

MFA introduces a new authentication that is specific to the member login process using new MFA protocols. MFA at login only includes the options for push notifications, SMS text, web or voice authentication – email verification is not an MFA option for login.

Actions that you can perform today within digital banking that allow for email OTP as an authentication method will remain unchanged. This includes actions such as adding a payee, changing password, performing an inter-member transfer, changing contact details and adding e-Transfer recipients.

8. What is a trusted device and why should I add trusted devices to my account?

A trusted device is a personal, secure device that you choose to recognize for future logins. Once added as a trusted device, you won’t be asked to complete MFA each time you sign in from that device. Adding a trusted device makes it faster and more convenient to access online banking while maintaining security. For web browsers, the trusted device setting lasts for 12 hours and on the mobile app, it does not expire. The reason for this timing difference is that the research and fraud-related incidents are more prevalent on computers and they have greater risk of unauthorized access.

Registering trusted devices is an optional step you can take upon login and is not required for you to access your accounts via MFA. You can have up to five trusted devices registered in digital banking.

If you uninstall the mobile app from your device, you will lose the trusted device setting. Therefore, if you reinstall the app, you will be prompted to make your device a trusted device.

9. How often will I be prompted to use MFA upon login?

You will be prompted for MFA when logging in from a device that you have not designated as a trusted device. On mobile, once a device is marked as trusted, MFA will not be required again unless the app is uninstalled and then reinstalled, or the device is removed from the trusted list. For online banking via the website, trusted device status is limited to 12 hours for security reasons, so you will typically need to complete MFA once per day when accessing online banking from an internet browser.

10. Are there any secondary steps I will have to complete for MFA if I use biometric login (e.g., facial recognition)?

Yes, initially. When you log in for the first time after the upgrade, biometric login will be disabled by default. You will first be required to set up MFA for security purposes. After completing MFA and successfully signing in, you can re-enable biometric login (e.g., facial recognition or fingerprint). Going forward, biometric login will act as your primary authentication method and will bypass MFA for future logins on that device.

11. If I have multiple profiles, will I need to set up MFA for each one, or can I have a single authentication method for all profiles?

You will need to set up MFA for each profile separately, as each login is treated as an independent profile – similar to having a separate username and password for each one. However, for business users, there is an option to consolidate profiles, which allows you to switch between them without having to complete MFA each time. This feature helps streamline access when managing multiple profiles under the same login session. You can find the Instruction Guide to consolidate your profiles on our website.

12. Will the MFA sign-in process be the same for delegates who are set up by a small business user?

Yes, it will be a consistent experience for all users, regardless of if they are a delegate or the owner of the small business account.

13. Is screen scraping being disabled as part of MFA, or is the software (i.e., Intuit products) that can access digital banking being blocked from overall access?

Screen scraping is effectively being disabled due to the introduction of MFA, which prevents third-party aggregators from accessing accounts using member credentials. However, Intuit has specifically been permitted to bypass MFA, so you will still be able to use products like QuickBooks and TurboTax. Access for other third-party aggregators will be blocked.

1. What information do I need to integrate my Aviso investment accounts with my CUA digital banking?

To link your Aviso accounts, you will need to enter your Aviso Client ID, last name and postal code. Your date of birth will be pre-populated. You can find your Aviso Client ID on your Aviso statement.

2. What types of Aviso wealth management accounts can I link to digital banking?

The wealth management accounts that are available to link are: Aviso Wealth, Qtrade Investor and Qtrade Guided Portfolio.

3. If I close my browser while account linking is in progress, what happens when I log in again? Will the linking be completed?

If you close the browser before successfully linking an account (i.e. before seeing the completion screen with the success message), the process will not be completed and the account will not be linked.

4. Will I be able to perform transactions (such as buying or selling securities) directly from digital banking?

No, the Aviso integration is view-only, meaning that to perform any transactions, you will need to log in directly to your Aviso account. The integration allows you to see a consolidated view of all of your Aviso account activities in one place, including your investment account balances, recent transaction history, and account details, including current securities held and the value of those investments.