The NCUA has asked credit unions that process their debit andcredit card transactions with FIS to evaluate their relationshipwith the card processor in light of an information technologysupervisory letter the company has received from other federalfinancial regulators.

FIS processes credit and debit card transactions for themajority of card-issuing credit unions and has about 5,400 client credit unions.

The NCUA letter included a copy of an FDIC supervisory letter.An interagency team from the bank insurer, the Federal Reserve Bankof Atlanta and the Office of the Comptroller of the Currencyconducted an interim supervisory review of FIS, which has both bankand credit union clients, beginning Oct. 17, 2011 and concludingwith an exit meeting on Jan. 20, 2012.

“I encourage you to review the supervisory letter as itdiscusses some regulatory concerns that require corrective actionby FIS management and FIS board of directors,” wrote Larry Fazio,director of NCUA's Office Examination and Insurance, in a letter tocredit union boards of directors in the NCUA's March 16 letter.

The NCUA has not yet commented on the letter, which was criticalof FIS' management.

“FIS executive management supervision and control over the riskmanagement and information security function are unsatisfactory,”the FDIC wrote in its letter. “Additionally, the board of directorsdoes not provide sufficient direction and oversight for managementresponsibilities, as well as for independent review in these areasby internal audit.”

“The breadth and severity of weaknesses noted at stem frommanagement's failure to adequately address previously identifiedsystemic issues and to take proactive measures to mitigate theidentified systemic risks. These weaknesses have exposed servicefinancial institutions to increased risk and have raised concernsregarding management's ability to establish and enforce effectiveinformation security measures commensurate with the need of FIS,”the regulatory team added.

For its part, FIS implied the FDIC supervisory letter had itsorigins in a hacker attach the processor suffered in the firstquarter of last year to its Sunrise prepaid program, but a statement from the company doesnot mention the FDIC supervisory letter.

“On Dec. 16, 2011, the Federal Financial Institution ExaminationCouncil Agencies  issued FIS an interim review reportnoting eight matters requiring attention involving enhancing FIS'information security functions,” the company wrote in itsstatement. “FIS immediately discussed the [matters requiringattention] with the FFIEC, developed mutually agreed upon detailedaction plans with target completion dates to address the MRAs[matters requiring attention], and is firmly committed to resolvingthese issues. On Feb. 28, 2012, the Federal Deposit Insurance Corp.issued FIS a letter noting these same MRAs as well as FIS' detailedcommitments to resolve all the MRAs.”

“FIS' executive management team and board of directors have beenactively engaged in the company's information security functionsbefore, during and after the Sunrise event and fully support thecompany's actions in this area,” the card processor added.

The company revealed the Sunrise prepaid card breach in aquarterly performance filing in May of last year and reported itlost about $13 million related to unauthorized activities andstated that more than 7,100 prepaid accounts may have been at riskof theft. The company also said it had taken steps to improvesecurity and pledged to continue working with law enforcement onthe matter.

In the supervisory letter, the federal regulators wrote that theSunrise breach took place from January to April of last year andcost at least $12.7 million. The regulators also noted that aforensics investigation FIS obtained found “widespread weaknessesin fundamental information security controls that included theoverall inability of the [chief information security officer]function to identify and control all information security relatedassets across the organization.”

The matters requiring attention included requiring FIS tocontinue to investigate the Sunrise breach and repair anyweaknesses discovered and said the processor should conduct an“independent management study/evaluation to determine the adequacyof senior and executive management qualifications, experience andcapabilities to effectively govern the [information security],[risk management], and [internal audit] needs of FIS.”

Reaction to the supervisory letter has been muted, with creditunions saying they had filed the letter for future considerationwhen choosing card processors, but none said. they planned to leaveFIS over the issue.

CO-OP Financial Services, the payment CUSO parent of the CO-OPNetwork and CO-OP Shared Branching, issued a statement supporting FIS in the wake of a critical regulatory letter.

“FIS was the victim of a publicly disclosed cyber attack inearly 2011 against a client of one of its prepaid card programs,”the CUSO, which is a partner with FIS in several areas, wrote onApril 10. “CO-OP's EFT and shared branching systems are operatedunder the direction of CO-OP, and they were not involved in the2011 incident.”

CO-OP also revealed more direct information about FIS' responseto the breach than the company has. According to CO-OP, “FIS hastaken action in three areas: personnel, including a newexecutive-level chief information security officer; PCIre-certification and enhanced information securitymeasures.” 

It added, “We support FIS in their efforts to address theseissues and feel their changes will benefit in the long-term ourrelationship even though there was no impact to CO-OP-relatedbusiness.”

There has been no comment from Card Services for Credit Unions,the association of credit unions that process their credit anddebit transactions with FIS. As of press time the organization hasnot yet commented on the letter, though it repeatedly said theywould eventually offer one.