WESLEY CHAPEL, Fla. — A Florida credit union has sued Fiserv, alleging the company failed to properly secure its online banking systems, leading to repeated hacks and hundreds of thousands of dollars in fraud losses for members.
FiCare Federal Credit Union filed the lawsuit in U.S. District Court for the Middle District of Florida, accusing Fiserv Solutions LLC and parent company Fiserv Inc. of breaching contract obligations, misrepresenting cybersecurity protections and forcing credit unions to pay additional fees for basic security safeguards.
The $79-million FiCare is being represented by Charles Nerko, managing partner of NERKO PLLC, who is representing other credit unions that have also filed suit against Fiserv, as the CU Daily has reported here and here.
“When a credit union files suit, we can test a vendor’s promises against the contract, and achieve outcomes that ordinary customer conversations rarely deliver,” Nerko told the CU Daily. “Our thesis is simple: if a third-party promises specific security controls, bills for them, and fails to provide them, compensation should follow—and the credit union should not have to pay a ransom-like forced upgrade fee or early-termination fee just to protect itself and move on.”
The CU Daily has contacted Fiserv for comment and will update this reporting if a response is provided.
Lack of Basic Controls Alleged
The complaint centers on Fiserv’s “Virtual Branch Next” online banking platform, which FiCare FCU alleges lacks basic, federally recommended security controls, including phishing-resistant multi-factor authentication. The credit union is alleging that beginning in 2024 hackers repeatedly exploited those weaknesses, resulting in fraud losses that FiCare reimbursed to members as the result of a breach and which Fiserv did not cover.
Fiserv, the complaint alleges, failed to implement the same level of security it uses to protect its own corporate data, despite contract provisions requiring it to do so and to comply with federal cybersecurity standards.
Additional Allegations
FiCare Federal also claims Fiserv relied on authentication methods such as email and text message codes that federal guidance says are inadequate and should not be used as true multi-factor authentication. At least one system housing member data allegedly had no multi-factor protection at all, according to the filing
The lawsuit further accuses Fiserv of concealing known security weaknesses, providing misleading compliance and privacy representations, and responding to reported problems only after media scrutiny or legal pressure. The complaint cites prior litigation involving other credit unions that raised similar concerns about Fiserv’s online banking security practices, as noted above.
Required to Purchase Product
The filing states that in December 2025, Fiserv notified customers it would discontinue an existing authentication feature and require credit unions to purchase a new product, branded “SecureNow,” to receive additional protection. FiCare Federal alleges the move amounts to charging customers extra for security Fiserv was already contractually obligated to provide and that the new product still fails to meet federal standards.
FiCare is seeking damages, rescission of its contract, declaratory and injunctive relief, and a court order requiring Fiserv to implement stronger security controls. It is also asking the court to rule that it is not obligated to pay early termination or deconversion fees if it leaves Fiserv’s platform
FiCare Federal, founded in 1960, serves healthcare workers in Florida.
Credit Union ‘Strongly Disagrees’
“FiCare takes the protection of its members very seriously. The credit union reimbursed members who reported online banking fraud losses and is taking appropriate legal action against Fiserv, the provider of the credit union’s online banking system,” said Nerko in a statement to the CU Daily. “FiCare strongly disagrees with Fiserv’s recent decision to withdraw certain existing security features mid-contract and then require credit unions to pay for a replacement marketed as ‘SecureNow’ under new terms and higher pricing. Security should not become a mid-contract upsell.
“This issue will resonate with credit unions that have received similar notices regarding SecureNow or have been told they must purchase additional services to maintain security controls that should already be part of an online banking system,” added Nerko.
Timeline of Events
The timeline of events as alleged in the lawsuit include:
2018
Security flaws in a Fiserv online banking platform are publicly reported by Krebs on Security, prompting scrutiny of authentication and access controls used by Fiserv systems, according to the lawsuit.
2019–2025
Multiple credit unions file lawsuits against Fiserv in federal courts alleging online banking security failures and disputes over contract termination and fees, the complaint says.
2024
FiCare Federal alleges hackers exploited weaknesses in Fiserv’s Virtual Branch Next platform during online account creation, leading to account takeovers and fraud losses. The credit union says it reimbursed affected members.
July 3, 2025
FiCare Federal sends Fiserv a formal notice of breach, alleging failures to meet contractual and regulatory cybersecurity obligations and requesting audit and security documentation.
August 2025
Fiserv provides a partial response to the credit union’s information requests but declines to produce certain billing and audit records, according to the complaint.
December 18, 2025
Fiserv notifies credit union customers it will discontinue an existing authentication feature for Virtual Branch Next and require customers to sign new agreements to purchase a replacement product marketed as “SecureNow.”
March 2, 2026
Deadline set by Fiserv for credit unions to sign agreements to obtain the SecureNow service, according to the complaint.
May 31, 2026
Scheduled effective date for the discontinuation of Fiserv’s existing authentication feature.
Jan. 27, 2026
FiCare Federal files suit in U.S. District Court for the Middle District of Florida, seeking damages, contract rescission, injunctive relief and a court order requiring stronger security controls.
