Citing 'Unsatisfactory Risk Management,' NCUA Asks Credit Unions to Evaluate Relationship With FIS
The NCUA has asked credit unions which process their debit and credit card transactions with FIS to evaluate their relationship with the card processor in light of an information technology supervisory letter the company has received from the FDIC.
FIS processes credit and debit card transactions for the majority of card-issuing credit unions and has roughly 5,400 client credit unions
The NCUA letter included a copy of the FDIC supervisory letter. An inter-agency team from the bank insurer, the Federal Reserve Bank of Atlanta and the Office of the Comptroller of the Currency conducted an interim supervisory review of FIS, which has both bank and credit union clients, on Oct. 17.
“I encourage you to review the Supervisory Letter as it discusses some regulatory concerns that require corrective action by FIS management and FIS Board of Directors,” wrote Larry Fazio, director of NCUA's Office of Examination and Insurance in a letter to credit unions’ boards of directors.
The NCUA has not yet commented on the letter, which was significantly critical of FIS' management.
“FIS executive management supervision and control over the risk management and information security function are unsatisfactory,” the FDIC wrote in its letter. “Additionally, the Board of Directors does not provide sufficient direction and oversight for management responsibilities, as well as for independent review in these areas by Internal Audit.
“The breadth and severity of weaknesses noted at this IR stem from management's failure to adequately address previously identified systemic issues and to take proactive measures to mitigate the identified systemic risks. These weaknesses have exposed service financial institutions to increased risk, and have raised concerns regarding management's ability to establish and enforce effective information security measures commensurate with the need of FIS,” the insurer added.
For its part, FIS implied the FDIC supervisory letter had its origins in a hacker attack the processor suffered in the first quarter of last year and a statement from the company does not mention the FDIC supervisory letter at all.
“On Dec. 16, 2011, the Federal Financial Institution Examination Council Agencies issued FIS an Interim Review report noting eight matters requiring attention involving enhancing FIS’ information security functions,” the company wrote in its statement. “FIS immediately discussed the MRAs with the FFIEC, developed mutually agreed upon detailed action plans with target completion dates to address the MRAs, and is firmly committed to resolving these issues. On Feb. 28, 2012, the FDIC issued FIS a letter noting these same MRAs as well as FIS’ detailed commitments to resolve all the MRAs.
“FIS’ Executive Management team and Board of Directors have been actively engaged in the company’s information security functions before, during and after the Sunrise event and fully support the company’s actions in this area,” the Jacksonville, Fla.-based card processor added.
Published reports said FIS apparently lost $13 million to hackers in a prepaid card heist last year.