DURHAM, N.C. —Self-Help Credit Union has filed a lawsuit against Fiserv alleging the company misrepresented whether it implemented multi-factor authentication (MFA) on systems that store and process member information.
The complaint alleges that Fiserv relied on an “email passcode challenge” for access to systems containing sensitive member information and that this approach is insecure because it conflicts with Fiserv’s Master Agreement, as well as federal cybersecurity standards that prohibit using email passcodes for multi-factor authentication.
The lawsuit further alleges that Fiserv committed fraud by making repeated false assurances to its financial institution customers about its security posture while concealing material deficiencies. In addition to asserting claims for breach of contract and fraud, the complaint seeks restitution for fees Self-Help paid for services that Fiserv did not deliver as promised.
Termination Fee Challenged
The lawsuit also challenges Fiserv’s seven-figure early-termination fee, which Self-Help characterizes as a punitive, ransom-like charge that deters credit unions from leaving even when significant performance and security issues arise.
The case was filed by NERKO PLLC, a law firm formed to represent credit unions in disputes with third-party vendors. Managing Partner Charles Nerko, who has represented five other credit unions in litigation against Fiserv.
Fiserv Responds
In a statement to the CU Daily, a Fiserv spokesperson said, “Fiserv disagrees with the claims and will vigorously defend itself in the lawsuit.”
‘Broader Question Raised’
“This case raises a broader question for credit unions: what accountability should look like when a core processor does not meet key performance and security commitments and then seeks a significant early-termination fee,” said Nerko in a statement. “Vendors should earn long-term relationships with credit unions through reliable performance and appropriate safeguards, not penalty-driven leverage. Self-Help will diligently pursue its claims through the legal process. We expect this case will interest credit union leaders focused on third-party vendor costs, accountability, and operational risk.”
The CU Daily will add comment from Fiserv should it respond to questions.
Additional Details
In the lawsuit, filed in federal lawsuit in the Middle District of North Carolina, Self-Help Credit Union, as successor to Winston-Salem FCU, is alleging:
Fiserv Provided Insecure Systems
Self-Help alleges that Fiserv failed to use adequate cybersecurity protections—especially multi-factor authentication (MFA)—on systems containing highly sensitive member data such as account numbers, transaction histories and PII.
Fiserv allegedly used no MFA at all on one system, according to the filing. On others, it used email passcodes, which federal standards prohibit as an authentication factor.
The suit alleges Fiserv uses stronger token-based and biometric MFA internally, but not for customers like Self-Help.
Self-Help claims these failures violate the parties’ Master Agreement, which required Fiserv to use safeguards equal to those it applies to its own data and to comply with industry standards such as NIST.
Misrepresentations and Fraud
The complaint asserts that Fiserv repeatedly misled financial institutions by:
- Providing a “Compliance Package” stating it followed NIST and other regulatory standards.
- Falsely stating that MFA was implemented.
- Publishing a Privacy Notice claiming it had “appropriate security measures” in place.
Self-Help claims Fiserv concealed known deficiencies and only fixed issues when exposed by outside reporting.
Pattern of Conduct and Prior Warnings
The filing cites:
- A 2018 Krebs on Security report showing a major vulnerability in Fiserv systems.
- Other lawsuits by credit unions alleging security failures or unlawful termination fees.
- Allegations that Fiserv attempts to silence customers who report defects.
Data Security Harms
Self-Help argues that Fiserv’s lax security places its members at risk of:
- Identity theft
- Account takeovers
- Long-term exposure of financial, medical, and location-revealing information
- Sale of stolen data on the dark web
The filing emphasizes potential emotional and financial harm to members.
“Ransom” Exit Fees
When Self-Help sought to move to a more secure vendor, Fiserv allegedly demanded seven-figure early-termination and “deconversion” fees, which Self-Help characterizes as coercive, unlawful, and unenforceable.
Legal Claims
Self-Help has brought eight causes of action, including:
- Breach of contract (damages, rescission, and specific performance)
- Declaratory relief (including invalidation of termination fees and limitation-of-liability clauses)
- Unjust enrichment
- Violation of the federal Defend Trade Secrets Act
- Fraud / fraudulent inducement
- Violation of the North Carolina Unfair and Deceptive Trade Practices Act
Self-Help is seeking damages, punitive damages, restitution, contract rescission, an order requiring Fiserv to implement proper security, and a declaration that it owes no termination, liquidated-damages, or deconversion fees.
