[HoyaSaxa]

It is hard to be certain without knowing the particular credit union, but as others have mentioned this data is likely used to counter bot login attempts.

But this is more of a business decision than a security decision likely. It is probably to prevent services like Intuit (Mint.com, Quickbooks, etc), Plaid, Quovo, and other data aggregators from accessing online banking and screen scraping / web crawling. Obviously, there are security reasons to prevent this access as well, but it has historically been a business decision with security as an excuse.

Disclaimer: I'm co-founder of a company that powers online banking, mobile banking, and open banking APIs for credit unions and banks and used to be CTO at a credit union.