DURHAM, N.C. — Self-Help Credit Union has expanded its lawsuit against Fiserv, alleging in an amended complaint that the core processor failed to implement required cybersecurity safeguards, misrepresented its authentication controls and attempted to force the credit union to purchase a replacement security product while still under contract.
The CU Daily originally reported on the filing of the complaint here in early April. The case was filed by NERKO PLLC, a law firm formed to represent credit unions in disputes with third-party vendors. Managing Partner Charles Nerko, who has represented five other credit unions in litigation against Fiserv.
In a statement to the CU Daily, Nerko said, “The new claims in this case underscore key issues about third-party vendor risk and accountability. As GAC brings the credit union movement together, we expect credit union leaders will scrutinize core-processor accountability more closely.”
Also in a statement to the CU Daily, Fiserv said the claims against Fiserv fundamentally mischaracterize our credit union business and our longstanding commitment to protecting our clients (the full statement appears below).
The amended complaint, filed in the U.S. District Court for the Middle District of North Carolina, asserts claims including breach of contract, fraud and fraudulent misrepresentation. All assertions in the filing are allegations that have not been proven in court.
Self-Help, acting as successor to Winston-Salem Federal Credit Union, alleges Fiserv failed to deploy compliant multi-factor authentication (MFA) on systems used by members and credit union staff, despite contractual and regulatory obligations to protect confidential information.
Not Even ‘Baseline Authentication’
According to the complaint, Fiserv “has not even provided baseline authentication” while marketing services as enhanced security. The credit union alleges certain platforms relied on email-delivered passcodes rather than possession-based MFA, which it contends falls short of federal cybersecurity expectations.
The filing identifies a range of systems — including online banking and internal service platforms — where Self-Help alleges proper MFA was not implemented. One system used for tickets, change orders and communications involving sensitive data relied on “an email-delivered passcode,” which the complaint characterizes as inadequate protection.
Self-Help says it conducted a security review after learning of similar concerns raised by another institution and subsequently sent Fiserv notices of breach in November 2025. The credit union requested audits, security-test summaries, certifications and disaster-recovery documentation required under the parties’ master agreement.
Alleged Response
Fiserv allegedly responded that the agreement imposed no deadline to produce the materials and did not provide them within the requested timeframe. More than 60 days later, the documents still had not been produced, the complaint alleges.
The lawsuit also challenges Fiserv’s December 2025 notice announcing it would discontinue an “Enhanced Authentication” feature effective May 31, 2026, and require clients to adopt a replacement product called “SecureNow.”
Self-Help alleges the change amounted to removing security measures mid-contract and attempting to resell them. “SecureNow is not an ‘upgrade,’” the complaint states, calling it a product that fails to address “the root cause of online banking account takeovers.”
Alleged Statements During Webinar
During a February 2026 webinar, Fiserv representatives allegedly said one-time passcodes would be required only initially and later triggered only by unusual activity, such as a new device or location. The complaint says that approach leaves institutions exposed even if they purchase the service.
Self-Help further alleges Fiserv pressured customers to enroll, warning that online banking access could be “paused” after the May 2026 deadline if SecureNow was not implemented.
The credit union contends Fiserv had a “preexisting duty to safeguard” customer information and could not condition that duty on new fees or contractual terms. It also disputes a seven-figure early-termination fee described as punitive and designed to deter institutions from leaving.
Additional Allegations
The complaint accuses Fiserv of concealing alleged deficiencies, asserting the company maintained “exclusive knowledge of the material defects” while continuing to market its services. Because of the technical complexity of the systems, Self-Help says it could not reasonably have discovered the issues earlier.
Self-Help seeks damages, restitution of fees paid for services it alleges were not delivered as promised, and a declaration that it has no obligation to adopt SecureNow.
Fiserv Responds
“The claims against Fiserv fundamentally mischaracterize our credit union business and our longstanding commitment to protecting our clients,” a Fiserv spokesperson said to the CU Daily in a statement. “Our policies and practices are designed to deliver effective information security programs tailored to each client’s business, member preferences, and other needs. The features of these programs are detailed in comprehensive written agreements between Fiserv and its clients, something that these claims ignore. We look forward to successfully defending ourselves in court.”
