Fiserv hit with lawsuit from small Pennsylvania credit union

Register now

Bessemer System Federal Credit Union in Greenville, Pa., is taking on a tech giant.

The $39 million-asset credit union filed a lawsuit in Mercer County, Pa., against Fiserv Solutions in late April, alleging “widespread, systematic misconduct,” among other charges, according to a court document.

The suit claims that Bessemer had issues with Fiserv's services, including security lapses and member information not being accurately updated. It lists nine causes of action, including breach of contract, negligence, unfair and deceptive trade acts and practices and fraud, in the lawsuit.

Fiserv, of Brookfield, Wis., provides technology for financial institutions; it has more than 12,000 clients.

“Fiserv’s technology is the lifeblood of Bessemer: Fiserv tracks Bessemer’s deposits, generates its statements, and powers its online banking website,” the credit union said in its pleading document. “Despite Fiserv’s claimed expertise, Fiserv has misreported Bessemer’s account records and information, while being plagued with security vulnerabilities that affect the privacy of thousands of Bessemer’s members.”

Fiserv has denied the allegations.

“We believe the allegations have no merit and will respond to the claims as part of the legal process,” Ann Cave, a spokeswoman for Fiserv, said in a prepared statement to CU Journal.

In the credit union’s 80-page filing, a copy of which was obtained by Credit Union Journal, the Bessemer System alleges a “serious pattern of problems.” For example, the credit union cited an instance in which a member paid off a loan but Fiserv “falsely” reported money still was owed.

The credit union claims that Fiserv “conceded” in an email to the credit union’s CEO, “Yes, we agree, Bessemer System FCU has experienced an extreme number of issues.”

Bessemer System further alleged Fiserv “failed to properly safeguard” confidential and “highly sensitive” financial information. The CU asserted there were “several instances of critical security vulnerabilities” of member information that was in Fiserv’s custody, “each based on baffling and amateurish security lapses.”

The lawsuit mentioned an August 2018 incident in which Krebs On Security, a blog that covers security issues and data breaches, reported the discovery of a vulnerability that exposed account and transactional records. The lapse also allowed unauthorized individuals to add or delete phone numbers and email addresses used to receive alerts. Allegedly, Fiserv did not address this vulnerability until the company was contacted by a reporter.

“Fiserv did not notify Bessemer and its customers about this security lapse until after Fiserv received negative press coverage,” the suit alleges.

Bessemer System FCU said in its lawsuit it conducted a security review that found issues in online banking services provided by Fiserv. The CU said Fiserv not only did not fix the problem, the company issued a “notice of claims” against the credit union.

By issuing the notice of claims, the institution alleges Fiserv was “attempting to silence Bessemer by threatening civil and criminal prosecution if Bessemer discussed Fiserv’s security problems with third parties, including Fiserv’s other clients.”

“Thus, to Fiserv, it was more important to keep its security problems under wraps than to fix security holes that potentially threatened scores of financial institutions and consumers,” the credit union alleged.

Bessemer System quoted The Wall Street Journal in alleging Fiserv’s “misconduct” was “part of a pattern of victimizing small financial institutions and the consumers they serve.” The credit union went on to say Fiserv is employing a strategy of buying up its smaller competitors to “stymie competition” while the company “ceases to make the proper financial investments to keep up with emerging technology and security risks.”

“If Fiserv is allowed to continue its course of misconduct, it will be encouraged to continue threatening its clients when security issues are reported, rather than making the proper investments to ensure that consumers’ information is being properly safeguarded and accurately reported,” the pleading document states. “That result would significantly threaten the thousands of financial institutions that Fiserv services and the innumerable consumers who entrust Fiserv to safeguard their most sensitive financial information.”

Bessemer System FCU states it attempted to resolve its issues with Fiserv before filing the lawsuit. The credit union says it followed the dispute-resolution provision in its contract. Bessemer said Fiserv “refused to timely participate” in an audit and “failed to provide” requested documents.

The credit union, which is demanding a jury trial, is seeking punitive damages and other relief.

For reprint and licensing requests for this article, click here.