Industry observers and executives with other processingcompanies predict that the recent supervisory letter on FISsecurity problems may have a limited impact on FIS' sales but willlikely heighten the importance of security for all paymentsprocessors.

|

NCUA forwarded a supervisory letter the FDIC and two otherfederal financial regulators sent to FIS outlining the results of arecent security examination and their concerns about the company'ssecurity operations and procedures. 

|

“This will cause reputation concerns for FIS and their groupservice providers, but likely will be corrected by FIS and resultin almost no short-term changes by their processing clients,” wroteTim Kolk, founder of TRK Advisers, a card portfolio consultancythat helps credit unions improve their credit card performance.“Most of their clients are happy with their products and servicing,they have a good team in the field, and the lead time to making aswitch is at least six months and more typically a year of analysisand conversion planning.”

|

Kolk and other observers cited a frequently long and complicatedprocess to change credit and debit card processors as limiting theimpact of the letter. “In the long term, it may make a differencehere and there, but otherwise for credit union card issuers Iexpect tomorrow will look much like yesterday in the processingworld,” Kolk added.

|

But others countered that the security concerns outlined in theletter are sufficiently grave that they will be enough to lead someCUs to leave the processing firm, pointing out that it's becomemore common for credit unions to consider other card processorsroutinely as part of their contract renegotiation process. Forthose credit unions in particular, especially if they already haveissues with FIS, the concerns raised in the supervisory lettercould lead them to switch, according to one processing specialistwho declined to speak for the record, citing company policy.

|

Ondine Irving, founder of Card Analysis Solutions, a cardportfolio consultant that specializes in helping credit unionsimprove their card portfolio performance, said a number of herclient credit unions use FIS.

|

“I have had both existing FIS clients and those in the processorselection process asking my opinion on this matter,” Irving said.“My response to my clients is to request an answer or responsedirectly from FIS or [Card Services for Credit Unions]. I amsurprised FIS or CSCU has not addressed this publicly, given thelarge number of credit union clients they process for. Prior tothis announcement, there has already been an increase in activityof credit unions seeking out all of their card processing optionsand being very aware of contract expiration dates. This may justadd fuel to the fire as credit unions wait out their contracts,”she said. “I do believe those credit unions which may be on theverge of switching processors may be more apt to think twice aboutgiving FIS their card processing business.”

|

CSCU, the association of credit unions that process their creditand debit card transactions with FIS, revealed that it has receivedinquiries from member credit unions about the letter but did notshare how the association was answering them or advising CUs. In aletter to its 2,700 member credit unions, CSCU President RobertHackney revealed that Greg Schaffer, FIS' chief informationsecurity officer, would address the association's annual meetingheld in St. Petersburg, Fla., this week.

|

“Please be assured, the CSCU board of directors, which is madeup of nine credit union CEOs from across the country, considerinformation security a critical priority of the highest magnitude,”Hackney wrote in the letter, which the association added to itswebsite. “As a credit union CEO, they, like you, want assurancetheir member's data is secure and they bring that same level ofconcern as a CSCU director representing your interest as a memberof CSCU. In addition, FIS senior management meets regularly withthe CSCU board.”

|

Meanwhile, after initially signaling its support for FIS, CO-OPFinancial Services, which partners with the processor in some jointagreements, an executive with the payments CUSO said it would alsoexpect the processor to address the security problems.

|

FIS processes debit transactions for CO-OP and markets access toCO-OP's surcharge free ATMs to its clients.

|

Caroline Lane, senior vice president for business developmentfor CO-OP, said the CUSO would accept FIS' declarations for what ithad been doing to correct the security concerns that were thesubject of a supervisory letter but that the CUSO would also holdthe company accountable for making those changes. She did notelaborate on what that accountability might include.

|

“I wouldn't say we would just take their word for it about whatthey are doing, that's sounds too soft,” Lane explained. “We willhold them accountable for following through.”

|

Lane joined with other processing executives, including KimberlyHester, executive vice president, network services for CO-OP andJeff Russell, CEO of TMG Financial Services and senior adviser toThe Members' Group, in predicting that the FIS letter will resultin highlighting the importance of security in evaluatingprocessors. TMG Financial Services purchases CU card portfolios andissues cards in agent relationships with credit unions. The MembersGroup processes debit and credit card transactions for creditunions.

|

“This is something which has already been going on for sometime,” Lane remarked, “at least we have been hearing about it sinceNCUA started putting more emphasis on evaluating vendorrelationships,” Lane said. “I expect that this is only going tomake security more important.”

|

Russell agreed and predicted that heightened concerns would lastfor some time, even through the advent of net technology whichshould make card data security easier to manage.

|

“The payments processing industry has spent an extraordinaryamount of money and time protecting the 16 digit card number,”Russell observed, “and I don't see that changing any time soon.Even if chip cards come into wider usage, there will always bethieves looking for ways they can evade the technology and stealthe data.” 

|

 

|

NCUA Defends Forwarding Letter

|

Officials at the NCUA are defending their decision to forward asupervisory letter on FIS to credit unions, noting that it'sroutine for the agency to share materials from other regulators andobserving that credit unions that process with FIS needed to readthe letter.

|

“It is a longstanding inter-agency practice to share reports, inthis case produced by one of the banking agencies, with clients ofrecord,” said Larry Fazio, director of examination and insurancefor the agency. “The Federal Deposit Insurance Corp., the Office ofthe Comptroller, and the Federal Reserve Bank have all releasedthis report, like other vendor reports, to their regulatedinstitutions. NCUA, like the other agencies, is providing thereport information for the sole purpose of facilitating vendor duediligence.”

|

Sources familiar with the agency's actions said officials hadconsidered forwarding the letter routine and argued that the agencyrisked leaving credit unions unwarned.

|

The sources, who spoke not for attribution, pointed out that theagency had little choice but to share the letter and would have hadto bear some degree of responsibility had credit unions sufferedlosses from a risk that the agency was aware of but credit unionswere not.

|

The sources also denied the rumor that the agency was trying todrive credit unions away from using FIS. They pointed out that thedecision to change payment processors was large enough and complexenough that neither the agency nor credit unions would be served bylarge numbers of credit unions going through that process at thesame time. Rather, the officials said the agency hoped thatproviding information to the credit unions would help bring marketpressure on the processor to correct the security deficiencies aswell as alert credit unions to the risk.

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

  • Critical CUTimes.com information including comprehensive product and service provider listings via the Marketplace Directory, CU Careers, resources from industry leaders, webcasts, and breaking news, analysis and more with our informative Newsletters.
  • Exclusive discounts on ALM and CU Times events.
  • Access to other award-winning ALM websites including Law.com and GlobeSt.com.
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.