Dive Brief:

• Tampa, Florida-based FiCare Federal Credit Union sued Fiserv last week, alleging the payment processing giant provided inadequate cybersecurity through an online banking platform that offers services to small financial institutions.
• Hackers breached the system, called Virtual Branch Next, and took control of some credit union customers’ accounts to steal money, FiCare said in a complaint filed Tuesday. Then, Fiserv charged the credit union additional fees for a security upgrade, the complaint alleges. Fiserv denied the allegations in an emailed statement.
• FiCare is seeking monetary damages from Fiserv, and recovery of the lost funds, Charles Nerko, an attorney representing FiCare, said in an emailed statement. But the credit union hopes the case prompts Fiserv to improve its security. "Litigation can drive both accountability and compensation in a way customer service channels rarely do,” Nerko said. “If Fiserv billed for security it did not deliver, its customers should be made whole.”

Dive Insight:

The hacks on FiCare began in 2024, Nerko said. FiCare customers lost hundreds of thousands of dollars in account takeovers, according to the complaint, filed in U.S. District Court for the Middle District of Florida. Nerko declined to say precisely how much money was lost.

While the FiCare reimbursed affected customers and alerted Fiserv to the problem, the payment processor did not reimburse the credit union for the breaches, according to the complaint.

"Fiserv’s systems lack basic security controls," FiCare said in its lawsuit. "They expose member information to easy compromise. They allow hackers to easily steal staggering amounts from financial institutions. And Fiserv continued to sell and operate these systems while assuring FiCare Federal that everything was secure."

The payment processor disputed the allegations outlined in the complaint. 

"Fiserv disagrees with the claims and will vigorously defend itself in the lawsuit," a company spokesperson said in an emailed statement.

Specifically, FiCare alleged Fiserv failed to apply safety protocols such as biometric controls and multifactor authentication, according to the complaint.

Fiserv told customers in December that it would charge them for a security upgrade, and that they had until March to sign a new agreement to receive the enhanced protection, according to the complaint.

Fiserv has fielded a flurry of legal action in recent months. At least one other credit union – Durham, North Carolina-based Self-Help Credit Union – has alleged the payment processor used lax online security.

Shareholders have also accused Fiserv of, among other things, misleading investors about the success of the point-of-sale service Clover by forcing new customers to use it. 

A lawsuit involving Clover was also filed Tuesday in federal court in Wisconsin and alleges that Fiserv funneled merchants to Clover from a different point-of-sale service to inflate Clover’s revenue, according to Bloomberg Law.

Virtual Branch Next, the product at the center of FiCare’s complaint, aims to help credit unions provide services online such as bill payment and financial management tools.

Fiserv's stock plummeted in late October after earnings disappointed investors relative to analyst expectations. Shares are down roughly 49% since Oct. 28.

CEO Mike Lyons, who replaced longtime CEO Frank Bisignano last year, has acknowledged some miscalculations but has defended the company's performance, particularly concerning the migration of its Clover point-of-sale product.