The NCUA has asked credit unions that process their debit and credit card transactions with FIS to evaluate their relationship with the card processor in light of an information technology supervisory letter the company has received from other federal financial regulators.
FIS processes credit and debit card transactions for the majority of card-issuing credit unions and has about 5,400 client credit unions.
The NCUA letter included a copy of an FDIC supervisory letter. An interagency team from the bank insurer, the Federal Reserve Bank of Atlanta and the Office of the Comptroller of the Currency conducted an interim supervisory review of FIS, which has both bank and credit union clients, beginning Oct. 17, 2011 and concluding with an exit meeting on Jan. 20, 2012.
“I encourage you to review the supervisory letter as it discusses some regulatory concerns that require corrective action by FIS management and FIS board of directors,” wrote Larry Fazio, director of NCUA's Office Examination and Insurance, in a letter to credit union boards of directors in the NCUA's March 16 letter.
The NCUA has not yet commented on the letter, which was critical of FIS' management.
“FIS executive management supervision and control over the risk management and information security function are unsatisfactory,” the FDIC wrote in its letter. “Additionally, the board of directors does not provide sufficient direction and oversight for management responsibilities, as well as for independent review in these areas by internal audit.”
“The breadth and severity of weaknesses noted at stem from management's failure to adequately address previously identified systemic issues and to take proactive measures to mitigate the identified systemic risks. These weaknesses have exposed service financial institutions to increased risk and have raised concerns regarding management's ability to establish and enforce effective information security measures commensurate with the need of FIS,” the regulatory team added.
For its part, FIS implied the FDIC supervisory letter had its origins in a hacker attach the processor suffered in the first quarter of last year to its Sunrise prepaid program, but a statement from the company does not mention the FDIC supervisory letter.
“On Dec. 16, 2011, the Federal Financial Institution Examination Council Agencies issued FIS an interim review report noting eight matters requiring attention involving enhancing FIS’ information security functions,” the company wrote in its statement. “FIS immediately discussed the [matters requiring attention] with the FFIEC, developed mutually agreed upon detailed action plans with target completion dates to address the MRAs [matters requiring attention], and is firmly committed to resolving these issues. On Feb. 28, 2012, the Federal Deposit Insurance Corp. issued FIS a letter noting these same MRAs as well as FIS’ detailed commitments to resolve all the MRAs.”
“FIS’ executive management team and board of directors have been actively engaged in the company’s information security functions before, during and after the Sunrise event and fully support the company’s actions in this area,” the card processor added.
The company revealed the Sunrise prepaid card breach in a quarterly performance filing in May of last year and reported it lost about $13 million related to unauthorized activities and stated that more than 7,100 prepaid accounts may have been at risk of theft. The company also said it had taken steps to improve security and pledged to continue working with law enforcement on the matter.
In the supervisory letter, the federal regulators wrote that the Sunrise breach took place from January to April of last year and cost at least $12.7 million. The regulators also noted that a forensics investigation FIS obtained found “widespread weaknesses in fundamental information security controls that included the overall inability of the [chief information security officer] function to identify and control all information security related assets across the organization.”
The matters requiring attention included requiring FIS to continue to investigate the Sunrise breach and repair any weaknesses discovered and said the processor should conduct an “independent management study/evaluation to determine the adequacy of senior and executive management qualifications, experience and capabilities to effectively govern the [information security], [risk management], and [internal audit] needs of FIS.”
Reaction to the supervisory letter has been muted, with credit unions saying they had filed the letter for future consideration when choosing card processors, but none said. they planned to leave FIS over the issue.
CO-OP Financial Services, the payment CUSO parent of the CO-OP Network and CO-OP Shared Branching, issued a statement supporting FIS in the wake of a critical regulatory letter.
“FIS was the victim of a publicly disclosed cyber attack in early 2011 against a client of one of its prepaid card programs,” the CUSO, which is a partner with FIS in several areas, wrote on April 10. “CO-OP’s EFT and shared branching systems are operated under the direction of CO-OP, and they were not involved in the 2011 incident.”
CO-OP also revealed more direct information about FIS' response to the breach than the company has. According to CO-OP, “FIS has taken action in three areas: personnel, including a new executive-level chief information security officer; PCI re-certification and enhanced information security measures.”
It added, “We support FIS in their efforts to address these issues and feel their changes will benefit in the long-term our relationship even though there was no impact to CO-OP-related business.”
There has been no comment from Card Services for Credit Unions, the association of credit unions that process their credit and debit transactions with FIS. As of press time the organization has not yet commented on the letter, though it repeatedly said they would eventually offer one.