FIS Card Unit Used By Many CUs Focus of Federal Audit, Letter Reveals
FIS' North American Card Services, was one of the “operations, functions and facilities” that federal regulators examined or reviewed during their October 2011 interim review of the processors' information technology procedures and practices.
NACS is the part of FIS responsible for card transactions and card management for the processors' credit union and bank clients.
Other facilities or operations examined included the Horizon Technology Centers East and West, BancLine Data Center, BancPac Data Center, Brown Deer Operations Center, and the Little Rock Technology Center.
NCUA forwarded a supervisory letter from the federal regulators to FIS to credit unions on March 16 and advised them to use it in “managing your vendor relationship with FIS.”
The federal regulators acknowledged in their supervisory letter that FIS management promised to correct the problems, but nonetheless strongly criticized the company's performance as of February 28, 2012.
“The [risk management] function established within FIS did not effectively responsd to regulatory concerns regarding identified risks,” the regulators wrote. “Additionally, [risk management] did not implement corrective actions for numerous information security weaknesses identified in various [Federal Financial Institution Examination Council] reviews, and in [internal audit] reports. [Risk management] was also unable to clearly convey the severity and potential impact of developments when submitting routine quarterly reports to the Audit Committee. Further, the Audit Committee did not provide adequate oversight of the [internal audit] function to ensure there is appropriate independence when validating and testing the security control infrastructure that [risk management] supervised].”