How the hell do you even think "it's fine, I'll put this password in plain text" when literally building an app for a CREDIT UNION? Obviously it's not acceptable to do that anywhere, but you would think they would think just a little bit harder about the decision when working with such sensitive data?
Plenty of cheap labor contractors will write up the basics without paying attention to things like encryption. I know because I’ve had to work with that sort of thing
Every credit union I have been a part of had some home brewed security system that did not follow best practices. Really felt like they contracted out to some kid still in college just to have something online.
I’m certain there are better CUs out there, but I think the issue is most can’t afford much better.