- Key insight: The complaint alleges Fiserv secured its internal corporate data with biometric controls but forced clients to use weaker, email-based passcodes.
- What’s at stake: Self-Help is seeking a court order to void millions in “early termination” fees, arguing they shouldn’t pay to leave a system that violates security standards.
- Expert quote: “Fiserv sold and operated systems that were so insecure that no regulated financial institution should have been asked to run its confidential data through them,” according to the complaint filed by Self-Help Credit Union
Overview bullets generated by AI with editorial review
Self-Help Credit Union recently filed a lawsuit against Fiserv alleging the tech giant knowingly provided insecure account processing systems and demanded “ransom” in the form of exorbitant termination fees when the credit union attempted to leave.
The complaint, filed Dec. 4 in the U.S. District Court for the Middle District of North Carolina, accuses Fiserv of failing to protect the credit union’s member data with the same safeguards it uses for its own corporate information — an alleged violation of the parties’ master agreement.
“Fiserv sold and operated systems that were so insecure that no regulated financial institution should have been asked to run its confidential data through them,” lawyers for Self-Help, based in Durham, North Carolina, wrote in the complaint.
A spokesperson for Fiserv told American Banker that the company “disagrees with the claims and will vigorously defend itself in the lawsuit.”
Insufficient multifactor authentication
Self-Help alleges that while Fiserv secures its own internal data with “layered, possession-based multi-factor authentication (MFA), token generators, and biometric controls,” it withheld those protections from the credit union.
Instead, Fiserv allegedly utilized weaker security measures for client data, such as email passcode challenges. This is the practice of sending a one-time password to the user’s email address.
The National Institute of Standards and Technology recommends against using email passcode challenges as a form of authentication when a user logs into a system because it is susceptible to hacking if the user’s email account is not properly secured.
On at least one system housing Self-Help data, Fiserv allegedly required “no MFA at all,” according to the complaint. The credit union did not identify the specific system by name in the filing.
Self-Help claims this disparity violated the master agreement, which requires Fiserv to “use the same care and discretion to prevent unauthorized disclosure of information as it uses with its own similar information,” according to the complaint.
Additionally, the suit cites a part of the agreement that mandates Fiserv implement a security program designed to “protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.”
The credit union further alleges that Fiserv provided a “fraudulent” compliance package that misrepresented its adherence to regulatory standards.
In a “Standard Information Gathering Questionnaire” provided to clients, Fiserv allegedly claimed its policies were based on NIST standards and that it utilized MFA — statements Self-Help argues were “false and misleading” given the reliance on email passcodes.
A “ransom” for exit
When the credit union sought to move its data to a more secure provider, Fiserv allegedly demanded a seven-figure “early termination” and deconversion payment.
“Fiserv’s ultimatum is simple: pay the ransom, or keep your data exposed on systems Fiserv refuses to adequately secure,” the complaint stated.
The verbiage in the complaint evokes ransomware, in which a threat actor steals data from a victim and demands the victim pay a ransom to have the data deleted rather than publicly leaked.
Self-Help is asking the court for monetary damages “in amounts to be determined at trial,” rather than a specific sum.
The credit union is also seeking a court order for “specific performance” compelling Fiserv to secure the data immediately, as well as a declaration that the credit union has no obligation to pay the early termination fees.
Lawsuit one of many troubles for Fiserv
The legal battle with Self-Help comes amid a turbulent period for the Milwaukee-based technology vendor, which is grappling with shareholder lawsuits, executive turnover and a plummeting stock price following a significant earnings miss.
In November, multiple shareholder class actions were filed against Fiserv, CEO Michael Lyons, and then-CFO Robert Hau. These lawsuits stem from a dramatic drop in Fiserv’s stock price following its third-quarter earnings report.
On Oct. 29, Fiserv reported third-quarter revenue of $4.92 billion, missing analyst estimates of $5.36 billion. The company slashed its full-year organic revenue growth guidance to a range of 3.5% to 4%, down from a prior projection of approximately 10%.
Shareholders allege that Fiserv executives misled investors during a July 23 earnings call. At that time, Lyons, who had recently taken the helm as CEO, assured investors that he had conducted a “re-underwriting” of the company’s initiatives and that the 2025 guidance was sound.
However, during the October call, Lyons admitted that the prior guidance contained assumptions that “would have been objectively difficult to achieve even with the right investment and strong execution,” according to a transcript of the call cited in
Lyons told analysts in October that a “rigorous analysis” conducted during the third quarter revealed that the company had “relied on short-term initiatives” that prioritized in-quarter results over long-term relationships.
Separately, a class action filed in July in the Southern District of New York alleges Fiserv artificially inflated the performance of its Clover point-of-sale business by secretly migrating clients from its legacy Payeezy platform.
Executive turnover, strategic shifts, operational headwinds
Fiserv is also navigating
Following the dismal third-quarter results, Fiserv announced further shakeups. CFO Robert Hau is set to be replaced by Paul Todd, formerly of Global Payments. Additionally, the company appointed Takis Georgakopoulos and Dhivya Suryadevara as co-presidents.
Amid these changes, Fiserv announced a restructuring plan dubbed “One Fiserv” and a move to transfer its stock listing from the New York Stock Exchange to Nasdaq.
The company has also faced scrutiny over service reliability. In May 2025,
While a Fiserv spokesperson stated at the time the issue was “fully resolved” the same day, the incident highlighted the industry’s reliance on third-party vendors.
“Events like this expose vulnerabilities in our digital payment infrastructure and remind us how a single point of failure at a major provider like Fiserv can ripple across the entire system,” Jim Perry, senior strategist at Market Insights, told American Banker at the time.