IN THE COURT OF COMMON PLEAS OF MERCER BESSEMER SYSTEM FEDERAL CREDIT UNION, a not-for?pro?t federal credit union, Plaintiff, -against? FISERV SOLUTIONS, LLC, a Wisconsin limited liability corporation f/k/a FISERV SOLUTIONS, INC., a Wisconsin corporation, and FISERV, INC, a Wisconsin corporation, Defendants. CIVIL DIVISION No. 2018-01130 COMPLAINT IN ACTION Filed on Behalf of Plaintiff Bessemer System Federal credit Union Counsel of Record for This gray: 81138 92 34V 6181 RICHARD J. PARKS, ESQUIRE PA ID #40477 PIETRAGALLO GORDON ALFANO BOSICK RASPANTI, LLP 7 West State Street, Suite 100 Sharon, PA 16146 Tel: (724) 981?1397 Fax: (724) 981-1398 Email: rjp@pietragallo.com CHARLES J. NERKO, ESQUIRE Admitted pro hac vice JOEL S. ORMAN, ESQUIRE Pro hac vice to be ?led VEDDER PRICE RC. 1633 Broadway New York, NY 10019 Tel.: (212) 407?7700 Fax: (212) 407-7799 Email: cnerko@vedderprice.com jforman@vedderprice.com JURY TRIAL DEMANDED H003 IHIGEWS .L A d33?31 IN THE COURT OF COMMON PLEAS OF MERCER COUNTY, BESSEMER SYSTEM FEDERAL CREDIT UNION, a not-for-pro?t federal credit union, Plaintiff, CIVIL DIVISION -agamst- N0. 2018-01130 FISERV SOLUTIONS, LLC, a Wisconsin limited liability corporation f/k/a FISERV SOLUTIONS, INC., a Wisconsin corporation, and FISERV, INC., a Wisconsin corporation, Defendants. YOU HAVE BEEN SUED IN COURT. IF YOU WISH TO DEFEND AGAINST THE CLAIMS SET FORTH IN THE FOLLOWING PAGES, YOU MUST TAKE ACTION WITHIN TWENTY (20) DAYS AFTER THIS COMPLAINT AND NOTICE ARE SERVED, BY ENTERING A WRITTEN APPEARANCE PERSONALLY OR BY ATTORNEY AND FILING IN WRITING WITH THE COURT YOUR DEFENSES OR OBJECTIONS TO THE CLAIMS SET FORTH AGAINST YOU. YOU ARE WARNED THAT IF YOU FAIL TO DO SO THE CASE MAY PROCEED WITHOUT YOU AND A JUDGMENT MAY BE ENTERED AGAINST YOU BY THE COURT WITHOUT FURTHER NOTICE FOR ANY MONEY CLAIMED IN THE COMPLAINT OR FOR ANY OTHER CLAIM OR RELIEF REQUESTED BY THE PLAINTIFF. YOU MAY LOSE MONEY OR PROPERTY OR OTHER RIGHTS IMPORTANT TO YOU. YOU SHOULD TAKE THIS PAPER TO YOUR LAWYER AT ONCE. IF YOU DO NOT HAVE A LAWYER OR CANNOT AFFORD ONE, GO TO OR TELEPHONE THE OFFICE SET FORTH BELOW TO FIND OUT WHERE YOU CAN GET LEGAL HELP. THIS OFFICE CAN PROVIDE YOU WITH INFORMATION ABOUT HIRING A LAWYER. IF YOU CANNOT AFFORD TO HIRE A LAWYER, THIS OFFICE MAY BE ABLE TO PROVIDE YOU WITH INFORMATION ABOUT AGENCIES THAT MAY OFFER LEGAL SERVICES TO ELIGIBLE PERSONS AT A REDUCED FEE OR NO FEE. Mercer County Lawyers? Referral Service Mercer County Bar Association PO. Box 1302 Hermitage, PA 16148 IN THE COURT OF COMMON PLEAS OF MERCER COUNTY, BESSEMER SYSTEM FEDERAL CREDIT UNION, a not-for-pro?t federal credit union, Plaintiff, CIVIL DIVISION -aga1nst- No. 2018-01130 ISERV SOLUTIONS, LLC, a Wisconsin limited liability corporation f/k/a ISERV SOLUTIONS, INC., a Wisconsin corporation, and FISERV, INC., a Wisconsin corporation, Defendants. COMPLAINT Plaintiff Bessemer System Federal Credit Union (??Bessemer? or the ?Credit Union?), by and through its undersigned counsel, Pietragallo Gordon Alfano Bosick Raspanti, LLP and Vedder Price P.C., for its complaint (?Complaint?) against Defendant Fiserv Solutions, LLC, formerly known as Fiserv Solutions, Inc. (?Fiserv Solutions?) and Fiserv, Inc. (collectively with Fiserv Solutions, ?Fiserv?), states as follows upon knowledge as to its own actions and upon information and belief as to others? actions: Nature of the Action 1. Maintaining accurate account information and safeguarding the con?dentiality of personal information are vital to the success of a ?nancial institution such as Bessemer. This action arises from the widespread, systematic misconduct of Fiserv, a vendor that claims expertise in providing technology solutions to ?nancial institutions. 2. Fiserv?s technology is the lifeblood of Bessemer: iserv tracks Bessemer?s deposits, generates its statements, and powers its online banking website. Despite Fiserv?s claimed expertise, Fiserv has misreported Bessemer?s account records and information, while being plagued with security vulnerabilities that affect the privacy of thousands of Bessemer?s members. Given the serious pattern of problems, Fiserv itself conceded in an email to Bessemer?s Chief Executive Of?cer: ?Yes, we agree, Bessemer System has experienced an extreme number of issues.? 3. Even after knowing that its problems were ?extreme,? Fiserv stuck its head in the sand. For example, after Bessemer reported that Fiserv was not properly allocating loan payments and was falsely reporting that a member was still owing money on a loan that was already paid off, Fiserv admitted that it ?told [Bessemer?s Chief Executive Of?cer] that it should work.? But Fiserv lied when representing that its system would accurately process loan payments and correctly report loan balances to members. As a result of the Credit Union?s persistent questioning, iserv later acknowledged that the Credit Union?s Chief Executive Of?cer ?was adamant that this wouldn?t work and she is correct.? 4. Even more astoundingly, iserv has failed to properly safeguard the con?dential and highly sensitive ?nancial information Bessemer and its members have entrusted to Fiserv. Bessemer?s member information has been subject to several instances of critical security vulnerabilities while in Fiserv?s custody?each based on baf?ing and amateurish security lapses. 5. Although Fiserv asserts that it takes privacy and con?dentiality very seriously, the facts show otherwise. Indeed, after Bessemer conducted a security review of Fiserv and uncovered that there were security vulnerabilities in the online banking website Fiserv provides for Bessemer, Fiserv?s response was to implement a purely cosmetic that was readily bypassed and did not address the problem. Meanwhile, Fiserv ?thanked? Bessemer by issuing an aggressive ?notice of claims,? attempting to silence Bessemer by threatening civil and criminal prosecution if Bessemer discussed iserv?s security problems with third parties, including iserv?s other clients (who presumably were affected with the same security problems at their own ?nancial institutions). Thus, to Fiserv, it was more important to keep its security problems under wraps than to ?x security holes that potentially threatened scores of ?nancial institutions and consumers. 6. According to The Wall Street Journal, iserv?s misconduct is part of a pattern of victimizing small ?nancial institutions and the consumers they serve. After decades of acquiring other technology providers, iserv and its two largest competitors now dominate the market, servicing 90% of U.S. banks with less than $1 billion in assets. Fiserv?s strategy is to buy up its smaller competitors to competition. Meanwhile, Fiserv ceases to make the proper ?nancial investments to keep up with emerging technology and security risks?while locking ?nancial institutions into long-term contracts, silencing its clients from disclosing to other affected clients when there are security problems, and holding customers? data hostage when those customers seek to go to competitors. This gambit has fattened Fiserv?s pro?ts, while exploiting smaller ?nancial institutions and the consumers they serve. While midsize and local banks hold 13% of primary banking relationships, they capture only 7% of the customers who switch banks. See ?Frustrated by the Tech Industry, Small Banks Start to Rebel,? The Wall Street Journal, April 11, 2019, _pos4. 7. Among vendors claiming expertise in providing account processing services to ?nancial institutions, Fiserv stands alone as the worst offender when it comes to protecting and accurately reporting consumers? sensitive ?nancial information. The time is up on multibillion- dollar companies such as Fiserv abusing consumers, yet hoping to evade the consequences of their actions by silencing and intimidating critics. Bessemer brings this action to protect itself and thousands of its members from the wide-ranging harm that Fiserv has in?icted. 8. In addition to banning Bessemer and its members, Fiserv?s misconduct signi?cantly harms credit unions, small ?nancial institutions, and all the consumers they serve. If Fiserv is allowed to continue its course of misconduct, it will be encouraged to continue threatening its clients when security issues are reported, rather than making the proper investments to ensure that consumers? information is being properly safeguarded and accurately reported. That result would signi?cantly threaten the thousands of ?nancial institutions that iserv services and the innumerable consumers who entrust Fiserv to safeguard their most sensitive ?nancial information. 2&8. 9. Plaintiff Bessemer System Federal Credit Union is a federally chartered not-for- pro?t credit union. Bessemer has a principal place of business at 106 Wood?eld Drive, Greenville, 16125. 10. Defendant Fiserv Solutions, LLC is a limited liability corporation organized under the laws of the State of Wisconsin with a principal place of business at 255 Fiserv Drive, Brook?eld, Wisconsin 53008. Defendant Fiserv Solutions, LLC was formerly known as Fiserv Solutions, Inc., a Wisconsin corporation. 11. Defendant Fiserv, Inc. is a corporation organized under the laws of the State of Wisconsin with a principal place of business at 255 Fiserv Drive, Brook?eld, Wisconsin 53008. Jurisdiction: and Venue 12. This Court has jurisdiction pursuant to 42 PA. CONS. STAT. 931 because the matters complained of herein occurred with Mercer County, and this Court has original jurisdiction over all cases not exclusively assigned to another court. 13. Venue is proper pursuant to PA. R.C.P. No 2179 because: Fiserv regularly conducts business in Mercer County; (ii) the cause of action arose from actions in Mercer County; and the transactions and occurrences relating to the cause of action arose in Mercer County. 14. There is no basis for federal jurisdiction. No federal question is asserted. No diversity jurisdiction exists because Bessemer is a federally chartered credit union engaged in interstate commerce. Bessemer does business with members residing in Ohio, and more than twenty other states. Bessemer regularly engages in non-localized interstate business activities, including through an infrastructure provided by Fiserv, which allows Bessemer to transact business on its own account, and with its members,I in multiple states. As Bessemer is a federally chartered national citizen, there is no diversity of state citizenship. Factual Background 15. Founded in 1943 by employees of the Bessemer and Lake Erie Railroad, Bessemer is a member-owned, not-for?profit consumer cooperative headquartered in Greenville, Bessemer is committed to serving the ?nancial needs of its several thousand members, many of whom live in and Ohio. Bessemer has earned the National Bessemer may sometimes provide certain services to nonmembers. References to ?members? in this Complaint apply to members of Bessemer and, where applicable, any nonmember customer of Bessemer. Credit Union Administration?s low-income designation, re?ecting Bessemer?s dedication to helping consumers who are underserved by mainstream ?nancial institutions. 16. Founded in 1984, iserv is one of the world?s largest providers of technology solutions to credit unions, banks, and other ?nancial services providers. According to Fiserv?s website, it has more than 12,000 clients in more than 50 countries, and Fiserv reported $5.82 billion of revenue in 2018. Fiserv provides core processing services to more than one in three ?nancial institutions in the United States. Fiserv administers 135 million deposit accounts, more than 80 million online banking end users, and approximately 28 million active bill payment end users. More than $75 trillion of transactions each year move through Fiserv?s systems. 17. iserv provides account processing services for Bessemer, including through a core processing system known as ?Charlotte.? An account processing system is the ?brains? behind a ?nancial institution, processing and recording all transactions for the ?nancial institution. For example, Fiserv hosts Bessemer?s online banking website and processes members? transactions originating from that site as well as from in?branch transactions initiated through tellers? computers. 18. According to iserv, ?processing account-based transactions is at the very heart of [a credit union?s] business. Each transaction is a reference point that re?ects the speed, service, ef?ciency and overall competitiveness of your organization. When you get account processing right, your customers are satis?ed and your workforce is maximally utilized?and your pro?ts go up as a result. When you get it wrong, you can expect it to wreak havoc throughout the enterprise, especially on the bottom line.? See (last visited April 25, 2019). 19. iserv ?irther explains in its Code of Conduct Business Ethics, ?[t]he nature of our business requires that all Fiserv computer systems and networks that process ?nancial transactions and store ?nancial data operate with the availability, ef?ciency, reliability and integrity that are expected of systems that process ?nancial transactions and store ?nancial data. The company is ?rmly committed to operating and maintaining its technology assets in a manner that merits the trust and con?dence of the clients and consumers we serve.? See (last visited April 25, 2019). As for protecting con?dential information, Fiserv acknowledges that is our responsibility to safeguard con?dential infomiation when it is collected used, transmitted and stored to prevent any unauthorized disclosure. . .. This includes the personal information that we store for our clients? See id. 20. Just as Fiserv recognized and acknowledges in its promotional material and Code of Conduct Business Ethics, the failure by Fiserv to provide the account processing services as represented to Bessemer is wreaking havoc throughout Bessemer?s operations and business. 21. Fiserv advertises and represented to Bessemer that its account processing system offers ?all the components required for credit union operations, plus established interfaces to a full range of ancillary products and services.? See brochureaspx (last visited April 25, 2019). 22. According to iserv, ?Charlotte offers ?exible features designed to help you improve productivity, train employees faster and implement new products and services with ease. Backed by a world-class customer support team that is dedicated to helping credit unions achieve their growth goals, Charlotte delivers all of your essential account processing functions, along with a wide range of integrated add?on tools.? See (last visited April 25, 2019). 23. iserv represents that its Charlotte platform is ?equipped with indispensable functionality and an array of integrated add-on options for seamless responsiveness that allows credit unions to stay competitive. Charlotte has a wide array of advanced solutions such as lending, Internet banking, document imaging and more capabilities to choose from aimed at helping credit unions increase productivity and efficiency.? See (last visited April 25, 2019). 24. As part of Fiserv?s ?Commitment to Accurate Accounting and Recordkeeping,? iserv represents that ?Fiserv is committed to maintaining full, fair, accurate and timely accounting and business records. This protects our legal interests; and helps us preserve the trust of our clients.? See 70ccedbdb25c (version in effect on August 22, 2018). 25. Fiserv also represents that its Charlotte system will allow ?nancial institutions to ?[s]tay current with technology requirements and regulatory compliance without. increasing staff,? and that technology tools become more advanced, so does the Charlotte solution. Fiserv continues to make timely updates and enhancements to the Charlotte system to ensure that this robust solution remains competitive by using the most up-to-date technologies available.? See (last visited April 25,2019) 26. Indeed, Fiserv recognizes its af?rmative obligation to provide services that continuously comply with applicable law and not harm consumers. As Fiserv explains: ?[a]ll iserv associates have an af?rmative obligation to design, deliver and support our products and services in a manner that continuously complies with applicable laws and regulations. . .. Because the principal market for our products and services is the regulated ?nancial services industry, the consequences of non-compliant offerings could seriously damage our reputation and ?nancial interests. iserv should use all reasonable measures to avoid consumer harm, to assist our clients in avoiding consumer harm and in diligently investigating any claims by our clients or others that our products or services are harming consumers. . See (last visited April 25, 2019). 27. Fiserv?s privacy policy claims that ?Fiserv maintains physical, electronic, and procedural safeguards designed to provide a level of security appropriate to the risk of processing Personal Information.? See (last visited April 25, 2019). 28. iserv asserts that it is a ?a proven ally in securing your IT infrastructure from increasingly sophisticated and targeted cyber-attacks. . .. That?s why we deliver a layered and comprehensive approach to keep your ?nancial institution's data and reputation Our Cybersecurity Solutions are designed and managed for ?nancial institutions by experts in the ?nancial industry and cybersecurity.? See (last visited April 25, 2019). 29. To obtain the bene?ts represented by Fiserv, Bessemer and Fiserv entered into a ?master agreement? (?Master Agreement?). 30. Exhibit 1, to be ?led under seal separately from this Complaint but referenced herein, is a true and correct copy of the Master Agreement. 31. iserv has not performed in accordance with the Master Agreement, is in breach of the express and implied terms of the Master Agreement, and has engaged in other misconduct that has harmed Bessemer.2 Fiserv?s History of Failing to Protect Con?dential Financial Records 32. Fiserv has a sordid, unfortunate history of failing to protect con?dential information. Fiserv has been repeatedly put on notice that its security measures were de?cient, leaving Bessemer?s member information at risk. Rather than addressing the problems by updating its security, Fiserv continued to use outdated security methods long after vulnerabilities were brought to Fiserv?s attention. This left Bessemer, its members, Fiserv?s other customers, and their own customers at risk. 33. In February 2019, security analyst SecurityScorecard, Inc. rated Fiserv a on its A to scale. According to SecurityScorecard, Inc., a company such as Fiserv rated below a is 5.4 times more likely to suffer a consequential breach?a dismal state of security for a company such as Fiserv that is entrusted with safeguarding highly sensitive information pertaining to the customers of more than one in three ?nancial institutions in the United States. 34. In the course of conducting a security review of Fiserv, SecurityScorecard, Inc. uncovered over 40 weaknesses in Fiserv?s security, including the following: Fiserv has failed to update and patch affected systems to protect against commonly known security vulnerabilities and exposures, including delaying remediation of high-severity vulnerabilities for more than 30 days after publication. The incidents described in this Complaint are illustrations only. Fiserv has engaged in other relevant acts, omissions, concealments, and misrepresentations. Bessemer believes that additional incidents of Fiserv?s misconduct will be identi?ed after a reasonable opportunity for further investigation and discovery. -10- Fiserv employs products and services past their end-of?life or end-of- service deadlines. As these products and services are no longer marketed, sold, or upgraded by the manufacturers, they are more likely to be exploited and to have unpatched security vulnerabilities. In March 2018, Fiserv was observed engaging in communications indicative of a malware infection. In June 2018, Fiserv was observed engaging in communications indicative of yet another malware infection. Fiserv runs servers using an obsolete Secure Shell (SSH) network protocol that contains fundamental weaknesses that can be readily exploited by hackers, including a design ?aw that allows a man-in-the-middle attack. Fiserv employs weak ciphers and certi?cates that are expired, are self?signed, and have weak signatures. Fiserv?s web applications do not implement X-XSS?Protection best practices, meaning that hackers can send malicious URLs that inject code into Fiserv?hosted websites. Fiserv?s web applications do not implement X?Content?Type-Options Best Practices, which could lead to security issues and the execution of malicious code. Fiserv?s websites do not implement HSTS best practices, which render Fiserv-hosted sites vulnerable to a man-in?the?middle attack that can divert users to malicious websites. iserv?s websites do not enforce leaving users vulnerable to man?in-the?middle attackers who can falsify data and inject malicious code. Fiserv?s websites redirect users to a new URL in a way that cannot be secured with and HSTS headers, leaving users vulnerable to being redirected to spoofed or malicious versions of the sites. (1) When a user is redirected to his or her ultimate URL destination, the user passes through one or more URLs served over HTTP (instead of which weakens other security technologies (such as and HSTS headers) that are deployed elsewhere. Fiserv does not implement X-Frame-Options best practices, which allows other, untrusted websites to embed a iserv-hosted website in a frame on their page. This can be used to make social-engineering attacks appear more legitimate, or it can be used for clickjacking attacks. 35. Fiserv?s lax security controls have harmed Besseme?r on multiple occasions. 36. In 2016, Fiserv had a security breach and improperly and unlawfully provided Bessemer?s con?dential member information to an unauthorized third party. The information iserv disclosed without authority included members? names, tax identi?cation numbers, and portions of account numbers. This incident should have served as a ?wake-up call? to Fiserv that its security controls were inadequate. Unfortunately, Fiserv ignored multiple warning signs and failed to ?x its shoddy security. 37. In or around March 2017, Fiserv put an invalid return address on member account statements for Bessemer?s biannual veri?cation of accounts, although the correct address was supplied by the Credit Union to iserv. Members who received the statements were alarmed to receive these irregular statements with an unrecognized name or address. Statements of members who had recently moved or had supplied incorrect addresses were earmarked to be sent to a United States Postal Service ?dump pile? because of the invalid return address Fiserv placed -12- on the statements. Many of the undeliverable statements, which contain con?dential member information, were untraceable and unprotected in the postal system. Like the 2016 data breach, this incident threatened the con?dentiality of the sensitive ?nancial information entrusted to Fiserv. 38. As another example, Fiserv?s normal course of performance with Bessemer was to coordinate the installation and updating of antivirus software on Bessemer?s systems. Yet Fiserv inexplicably stopped doing so without explanation, despite the growing prevalence of cyberattacks. 39. In August 2018, Krebs on Security reported that a customer of a small ?nancial institution discovered a security vulnerability with Fiserv that permitted unauthorized individuals to see customers? account and transactional records, and to add or delete phone numbers and email addresses used to receive alerts about account transactions. See ?Fiserv Flaw Exposed Customer Data at Hundreds of Banks,? (August 28, 201 8). 40. According to this article, the customer contacted Fiserv through multiple outlets, including messages sent to the social media accounts of various individuals who were identi?ed as af?liated with Fiserv. iserv, however, failed to ?x this known security vulnerability in response to these consumer complaints. 41. Fiserv?s Code of Conduct Business Ethics contains a social media policy that covers the use of Linkedln, Twitter, Facebook, forums, and blogs, and Fiserv regulates its employees? use of Fiserv?s trademarks on social media. Fiserv notes that social media ?is an established part of many people?s personal and professional lives?and the lines have blurred.? See (last visited -13- April 25, 2018). Accordingly, Fiserv knows, or should have known, about communications sent to the social media accounts of its agents who have identi?ed themselves as Fiserv representatives on social media platforms. 42. Fiserv spokesperson Ann Cave con?rmed that Fiserv did not make efforts to remediate this known threat until after receiving an inquiry from a reporter?when negative press coverage was imminent. According to Ms. Cave, ?After receiving [the reporter?s] email, iserv] engaged appropriate resources and worked around the clock to research and remediate the situation. [Fiserv] developed a security patch within 24 hours of receiving noti?cation and deployed the patch to clients that utilize a hosted version of the solution. [Fiserv] will be deploying the patch this evening to clients that utilize an in?house version of the solution.? Thus, only after iserv faced the imminent prospect of negative press attention did Fiserv engage[] appropriate resources? to ?x its security lapse. 43. According to this press report, customer information at hundreds of ?nancial institutions remained vulnerable to this security lapse. 44. iserv did not notify Bessemer and its customers about this security lapse until after Fiserv received negative press coverage. 45. Unfortunately, Fiserv?s internal culture actively discouraged emphasis on data security. For example, even one of Fiserv?s own employees recognizes the inadequate state of the security at Fiserv. and the inadequacy of Fiserv?s support and outreach channels. In a post responding to the Krebs on Security article, Adam Kindler, Fiserv?s Information Security Manager, invited customers to message him through his personal social media account so that he ?can use what in?uence [and] means I have at our company, above and beyond customer support and outreach branches, to address their concerns.? -14- 46. On the heels of the Krebs on Security article indicating that Fiserv?s online banking system contains security vulnerabilities, as well as a history of other problems Bessemer had with Fiserv, Bessemer conducted a review of Fiserv?s security controls. 47. The security review uncovered critical security ?aws with the online banking system Fiserv was providing Bessemer. 48. At the time, all that iserv required to register for an online banking account with Bessemer was an account number and the last four digits of the member?s Social Security number. Given the weak security controls Fiserv implemented on Bessemer?s online banking system, an unauthorized individual can access a member?s online banking account by obtaining the member?s account number (such as from the face of a check or guessing an account number based upon the sequence used to assign account numbers), and then either knowing or guessing the last four digits of a member?s Social Security number. 49. Because Fiserv did not impose rate limiting, there was no ?lockout? enforced by the online banking system to stop unauthorized individuals from using a pure trial?and?error guessing process (which can easily be automated) to gain access to Bessemer?s online bankng accounts. 50. It would be expected that a company as sophisticated as Fiserv would implement appropriate controls to safeguard Bessemer?s online banking accounts against unauthorized access through trial-and?error or ?guessing.? With reSpect to Bessemer?s online banking website, Fiserv failed to implement reasonable security controls such as those that: require the use of an authentication procedure with suf?cient complexity and secrecy; -15- implement a rate-limiting mechanism to effectively limit the number of failed authentication attempts that can be made on an online banking account; (0) require an individual to complete a ?captcha? (a simple puzzle used to thwart automated access attempts); impose an adequate waiting or lockout period following a failed login attempt; and leverage other risk-based or adaptive authentication techniques to identify user behavior that falls outside typical norms, including repetitive, highly anomalous behavior consistent with a ?guessing? or trial?and-error method to gain access to Bessemer?s online banking website. 51. In the course of Bessemer?s security review, Fiserv scrambled to place additional security controls on Bessemer?s online banking website. These, too, were pitifully de?cient and ineffective. 52. Fiserv attempted to fortify Bessemer?s online banking website by requiring users registering for an account to supply a member?s house number. This was ineffective because residential street addresses can readily be found on the internet and through other public sources. Moreover, this information can be guessed through a trial-and-error process. Most alarmingly, this security control was purely illusory. Because some servers were not enforcing this security check, it could be readily bypassed. 53. The security review also uncovered that when a user turns off avaScript, it is possible to bypass the web page that was supposed to enforce a member?s acceptance of the Bessemer online banking website?s terms of service. -16- 54. after their discovery, Bessemer reported to iserv security vulnerabilities with the online banking website Fiserv maintains for Bessemer. 55. Upon reporting these security problems to Fiserv, Bessemer requested documentation and assurances that its con?dential member information was being properly safeguarded. 56. Adding insult to injury, rather than ?xing these security problems and providing the requested assurances that information was being adequately safeguarded, Fiserv issued Bessemer a ?notice of claims? claiming that Bessemer?s security review of its own online banking system gives rise to civil and criminal claims, and demanding that Bessemer not disclose information relating to the security review to any third parties, including Fiserv?s other clients (who presumably were affected with the same security problems at their ?nancial institutions) as well as media sources. 57. Fiserv knew it had no proper basis for threatening Bessemer for conducting a security review of Bessemer?s account records and information in Fiserv?s custody. The Master Agreement acknowledges that Bessemer?s records and information ?shall remain the property of [Bessemer],? even while in Fiserv Solutions?s custody or control (Master Agreement Indeed, Fiserv?s Forms 10-K ?led with the United States Securities and Exchange Commission for at least the past several years concede that Fiserv expects that its ?nancial institution clients will ?conduct ongoing monitoring and risk management for third?party relationships,? and that ?independent auditors annually review many of our operations to provide internal control evaluations for our clients.? 58. In addition, iserv lacked a good-faith basis when threatening Bessemer with legal claims or criminal prosecution if Bessemer were to disclose Fiserv?s security weaknesses to -17- others. The Master Agreement expressly gives Bessemer ?the right to make general references about [Fiserv Solutions] and the type of Deliverables being provided hereunder to third parties? (Master Agreement 59. Upon information and belief, Fiserv has issued threats to others who have discovered security vulnerabilities, as well as to members of the press, in an effort to conceal these problems from affected ?nancial institutions and consumers. 60. Fiserv wishes to keep its security failures under wraps because it desires to mislead its customers into continuing to entrust their con?dential information with Fiserv, while maintaining a high stock price and arti?cially in?ating the value of Fiserv?s corporate goodwill. iserv?s 2018 SEC Form 10-K admits that a security incident allowing unauthorized access to clients? data could give ?a loss of con?dence in our ability to serve clients and cause current or potential clients to choose another service provider. . .which could have a material adverse impact on our business.? By intentionally failing to disclose or suppressing information about its security problems, Fiserv misled Bessemer, its members, and other customers into continuing to use iserv?s service offerings, thus providing Fiserv with ill-gotten gains, thwarting its competitors, and arti?cially fattening its stock price and goodwill. Fiserv has a particular interest in arti?cially increasing the value of its goodwill and intangible assets, as they represent over 70% of Fiserv?s total assets. 61. As a ?nancial institution, Bessemer has a continuing interest in ensuring that the integrity of its member information is maintained, and that such information is safeguarded from future breaches. 62. Because Bessemer?s core function is serving its members? ?nancial needs, Bessemer is faced with increased costs of dealing with members who have placed fraud alerts or -18- credit freezes in response to iserv?s data breaches, making it impossible or burdensome for Bessemer to evaluate members? creditworthiness for current or potential credit or loans. In addition, given iserv?s delays in returning Bessemer?s information so that Bessemer can transition to a new vendor (see infra), Bessemer faces the dilemma that, in order to function, it must share its member information with Fiserv, which has proven to lack the ability to safeguard member information. 63. Fiserv was aware of the risks posed by its weak security controls and the extraordinarily sensitive nature of the personal member information it maintains, as well as the resulting impact that a data breach would have on a ?nancial institution such as Bessemer. 64. Unfortunately, Fiserv?s approach to maintaining the privacy and security of its customer data was grossly negligent and reckless, or, at the very least, negligent. Fiserv failed to follow industry standard precautions in response to known risks, and Fiserv knew that its security controls were substandard and de?cient. 65. Bessemer now faces years of constant surveillance and increased vigilance against fraudulent activity involving its members. While consumers are ultimately protected from most fraud losses, Bessemer is not, as ?nancial institutions bear primary responsibility for reimbursing members for fraudulent transactions. Bessemer?s Member Information Is Very Valuable on the Black Market 66. The types of information Fiserv maintains for Bessemer are highly valuable to identity thieves. The names, email addresses, recovery email accounts, telephone numbers, birthdates, passwords, security question answers, and other valuable member information can all be used to gain access to a variety of existing accounts and websites. 67. Identity thieves can also use Bessemer?s member information for embarrassment, blackmail, or harassment in person or online, or to commit other types of fraud, including -19- obtaining ID cards or driver?s licenses, fraudulently obtaining tax returns and refunds, and obtaining government bene?ts. A report from the United States Government Task Force on Identity Theft explains the harm befallen to Bessemer and its members: Businesses suffer most of the direct losses from identity theft because individual victims generally are not held responsible for fraudulent charges. Individual victims, however, also collectively spend billions of dollars recovering from the effects of the crime. In addition to the losses that result when identity thieves fraudulently open accounts or misuse existing accounts, monetary costs of identity theft include indirect costs to businesses for fraud prevention and mitigation of the harm once it has occurred for mailing notices to consumers and upgrading systems). Similarly, individual victims often suffer indirect ?nancial costs, including the costs incurred in both civil litigation initiated by creditors and in overcoming the many obstacles they face in obtaining or retaining credit. . .. In addition to out-of-pocket expenses that can reach thousands of dollars for the victims of new account identity theft, and the emotional toll identity theft can take, some victims have to spend what can be a considerable amount of time to repair the damage caused by the identity thieves. Victims of new account identity theft, for example, must correct fraudulent information in their credit reports and monitor their reports for future inaccuracies, close existing bank accounts and Open new ones, and dispute charges with individual creditors.3 68. To put it into context, as demonstrated in the chart below, the 2013 Norton Report, based on one of the largest consumer THE 6103.?. (YEHGWIE cybercrime studies ever conducted, estimated that 5113 image mum I the global price tag of cybercrime was around $113 billion at that time, with an average cost per victim USD $293 of $298. 69. Once stolen, member information can be used in a number of different ways. One of the most common is that it is offered for sale on the ?dark web,? a heavily part of 3 The President?s Identity Theft Task Force, gil??l?HItIIJgI?d?lj?ljlh Federal Trade Commission, 11 (April 2007). -20- the intemet that makes it dif?cult for authorities to detect a website?s location or owners. The dark web is not indexed by normal search engines such as Google and is accessible only using a Tor browser (or similar tool), which aims to conceal users? identities and online activity. The dark web is notorious for hosting marketplaces selling items such as weapons, drugs, and member information. Sites on the dark web appear and disappear quickly, providing cover for illegal transactions. 70. Once someone buys member information, it is then used to gain access to different areas of the victim?s digital life, including ?nancial accounts, social media, and credit card details. During that process, other sensitive data may be harvested from the victim?s accounts, as well as from those belonging to family, friends, and colleagues. 71. In addition to member information that can be accessed, a hacked online banking account can be very valuable to cyber criminals for other attacks. Since online banking accounts are linked to other accounts (for example, to transfer funds between ?nancial institutions), a hacked online banking account serves as a springboard for a hacker that opens up a number of other accounts. 72. The problems associated with identity theft are exacerbated by the fact that many identity thieves will wait years before attempting to use the member information they have obtained. Indeed, in order to protect its member information, Bessemer will need to remain vigilant against unauthorized use of its member information for years and decades to come. Fiserv Has Falsi?etl and Misr'gpt'csented Bessemer?s Member and Transactional Records 73. In addition to failing to safeguard con?dential member information against access by unauthorized parties, iserv has falsi?ed and misreported that information to Bessemer, its members, and other authorized individuals. -21- 74. In or around July 2018, Fiserv falsely represented to Bessemer that a member?s account was closed. In fact, the member did not close the account. iserv also made unauthorized changes to the member?s account information, which prevented dividends owed to the member from being applied and posted to the account. iserv falsely reported to Bessemer that this member was owed no dividends, when in fact the member was owed dividends from Bessemer. Based upon Fiserv?s false reporting of information and unauthorized changes to account information, this member was not timely paid dividends that were owed to him, and the member was prohibited by Bessemer from making deposits into the account based on Fiserv?s false representations that the account was closed. What?s more, after Fiserv reported to Bessemer that this account was closed, Fiserv accepted an incoming transfer on that member?s behalf of funds that were intended to be posted to that member?s account. Fiserv, however, failed to report this transfer on Bessemer?s ?exception list? (a list that contains incoming transfers that were intended for closed accounts) and instead transferred the member?s funds to the account, which was no longer properly provisioned to accept funds and calculate dividends owed on the funds. All of this caused consumer confusion and deprived a member of access to funds and dividends to which he was entitled. In response to iserv?s failure to properly post dividends to a member?s account, Katherine King of Fiserv informed Bessemer?s CEO that would agree you [Bessemer] need to post these dividends. . .. I am not sure how to work around this issue for you.? 75. After Bessemer reported that Fiserv was not properly allocating loan payments and was misreporting that a member still owed money on an already-paid-off loan, Mark Britton of Fiserv admitted on or about February 19, 2019 that he ?told [Bessemer?s Chief Executive Of?cer] that it should work.? But Fiserv lied when representing that its system would accurately -22- process loan payments and report loan balances. As a result of the Credit Union?s persistent complaining, Fiserv later acknowledged that the Credit Union?s Chief Executive Of?cer ?was adamant that this wouldn?t work and she is correct.? Indeed, Mr. Britton acknowledged that one of his Fiserv colleagues completed a test of Fiserv?s loan processing system and, with respect to a loan that should have been fully paid off, Fiserv con?rmed that it falsely ?put a negative balance of 1 5.41 on the loan history. ..and still shows late fees as $49.24.? 76. During the conversion of Bessemer?s data from Fiserv?s Loan Advantage platform4 to Fiserv?s Loancierge platform, Fiserv falsi?ed documents by inserting what Bessemer believes to be another Fiserv customer?s electronic documents loan agreements, promissory notes, and loan disclosures) into Bessemer?s Loancierge application. This caused incorrect language and terms to display on Bessemer?s loan disclosures, which gave the false impression that the documents were authentic business records of Bessemer. Fiserv was provided the correct information by Bessemer, yet it reported false information and altered Bessemer?s business records. For instance, language purporting to require Bessemer?s members to pay the Credit Union certain late fees appeared, even when it was not the Credit Union?s intent to charge those fees. 77. Fiserv sent Credit Union members federal 1098 mortgage statements that falsely reported the principal balance of the loans in the ?eld for Private Mortgage Insurance. iserv was provided with accurate information for these statements and assured the Credit Union that it Loan Advantage is designed to package loan con?guration and implementation. The services include ?credit processing, contract funding, dealer integrations, accounting and cash management, default management, collateral management and customer care, which enable lenders to use a single partner for their origination, accounting and servicing needs.? See (last visited April 25, 2019). -23- would issue corrected 1098 statements, but Fiserv never provided documentation of these corrected statements. 78. Fiserv has knowingly and repeatedly printed false mortgage interest, late-fee, and other transactional information on receiptsrand other documents provided to members, even though Bessemer informed Fiserv of the accurate information. For example, a January 4, 2017 share deposit receipt generated by Fiserv for a member falsely indicated that there were deposits of $300.00 in cash and a $69.68 check, when Bessemer informed Fiserv that the member actually deposited just $90.00 in cash and no checks. 79. Fiserv has knowingly misrepresented due dates for loans. When Bessemer reported this issue to Fiserv, iserv explained that when a loan is entered with a due date on the 28th, 29th, 30th, or 3 1 st of the month, it is Fiserv?s practice to misreport the due date as the last day of the month, regardless of the loan?s actual due date. Fiserv conceded that this false repeating of information is a ?known issue? with its account processing system. Yet, despite having actual knowledge that it was supplying false information, Fiserv continued to supply false information. 80. Currency adjustment transactions are inconsistent and intermittently fail to re?ect correct cash or check adjustments for teller drawers. iserv assured the Credit Union that this issue would be corrected in a ?lture software update release, but the update was consistently delayed. iserv never con?rmed that this issue was ?xed. 81. In or around June 2018, iserv deleted transactions that should have been present on the Homebanking Register Report. This report was supposed to include a complete and accurate list of all the prior day?s homebanking transactions. -24- 82. In or around July 2018, Bessemer completed a payment transfer transaction using the Fiserv system for a member with a mortgage through Bessemer. The member owed $1,361.70 in late fees, which were fully paid by transferring funds from the member?s share account to the member?s home equity loan. While the member?s share account history showed that the full amount of $1,361.70 was transferred to pay off these late fees, the loan history showed that only $361.70 was received from this transfer and applied to the loan. Thus, to the member it would appear that $1,000.00 was missing. An excerpt of the inaccurate statement furnished by Fiserv is shown below, with the relevant transactions highlighted: 06 06 06 06 066303 .810 2318 3018 3013 069118 062513 05.3?3 osgoia 83. 016 SHARE ACCOUNT DEPOSIT PAYMENT TRANSFER 12*: [All ('Hl?qlliil?. PAYMENT TRANSFER DIVIDEND ANNUAL peacanrnce YIELD EARNED IS 00.243 THRU JUNE 30, 20] FOR APRIL 01, 2018 036 HOME EQUITY PAYMENT PAYMENT TRANSFER 93? l$7f LPARL: PAYMEN i 33516. 3 m1 907. 3301.f 3124?. G- . 3 7.. BALANCE SALANC 775.03_ 783.03? 31247.06! BALANCF 33507.b6 32659129 ?1397.30 50153 50.50 50.55 32300.32 32030.44 31207000 jliif,?o :00 .ho When Bessemer contacted Fiserv about the false information being reported, Fiserv informed Bessemer that Fiserv?s system knowingly falsely reports such transactions and cannot correctly report them when more than $999.99 is entered in the relevant system ?eld, and that iserv would not correct the pro gramming used to calculate transactions of this type. Several weeks later, Fiserv informed Bessemer that Fiserv was going to manually rebuild the statement for this member in order to properly re?ect the total amount paid. 84. In proceedings involving loans paid by the bankruptcy court, the court provides a single check With explicit instructions on how to apply the check to the speci?c loan. But Fiserv?s software cannot accommodate the correct application of a check in a single transaction in the speci?c manner required by the bankruptcy court. As a result, Bessemer is forced to apply the designated amounts of the check to principal and interest as separate check transactions, even though Bessemer receives only one check, because Fiserv?s software cannot process multiple entries for interest, principal, and fees to a loan from a single check. When the Credit Union asked Fiserv about these transactions, Fiserv responded that it will allocate only one payment per check. Fiserv asked for a business justi?cation for addressing this issue, and even when the Credit Union explained that the bankruptcy court requires these transactions to be handled in a particular way, Fiserv declined to correctly re?ect these transactions, stating that it ?has been this way for years and would require hours of programing changes, the programmer said this was not going to happen.? Fiserv?s Account Processing System Contains a Litanv of Bugs and Defects 85. iserv?s services have been laden with bugs and defects. ohnette Preddy of iserv admitted in an email to Bessemer?s CEO that there was an ?extreme number? of problems that Fiserv was in?icting upon Bessemer: ?Yes, we agree, Bessemer System has experienced an extreme number of issues. Everyone on our team is aware of these issues and we continue to work for resolution I sincerely apologize for the inconveniences and impact to your business.? (emphasis added) 86. As one example, during the course of just one business day, April 5, 2019, Fiserv informed Bessemer that its systems were manifesting the following errors: The Credit Union?s document archive hosted through Fiserv?s eFichency system experienced a service interruption; Less than one hour later, Fiserv?s eFichency system was experiencing time out errors; ?26- (0) Members logging into Virtual Branch would receive an ?authentication error error message when accessing their eStatements; and Members using the search option in Virtual Branch would receive an ?Exception: (503) Service Unavailable error. 87. On many occasions, Fiserv?s Charlotte system was unavailable, causing Bessemer to be denied access to its account records and information needed to process member transactions and to function as a ?nancial institution. 88. Bessemer?s members have reported that their bill payments were failing to be properly made in accordance with the members? instructions. Fiserv conceded that this is another known defect with its account processing system. 89. ACH and share draft returns fail to process during system-wide connection outages. Fiserv issues a report each day and misrepresents that returns are in progress. Although the Credit Union maintains documentation proving that the returns were processed through Fiserv?s automated system and received by Fiserv, the funds for the returned items were not received by the Credit Union as expected. Instead, Fiserv seemingly failed to present the returns to the Federal Reserve for credit. These issues consistently arise when Fiserv experiences connectivity problems. 90. Fiserv has outsourced many of its functions, which resulted in a degradation of and disruption in the service provided to Bessemer. For example, when Fiserv looked up Bessemer in its system by the Credit Union?s identi?cation number, Fiserv?s call center personnel were unable to identify which Fiserv platform Bessemer uses. Fiserv even candidly admitted that since it has outsourced much of its call centers? personnel, Fiserv?s support personnel may be unable to provide proper support functions. -27- 91. Bessemer?s staff members constantly ?nd themselves locked out of the system and unable the system, which inhibits Bessemer?s ability to serve its customers. For example, a teller?s computer froze when the teller was processing a transaction for a member. When the teller attempted to log off, a pop-up appeared with an Outlook Wizard asking to set up Outlook. The teller was unable to log back on to the computer. Although Fiserv previously instructed Bessemer employees to use the log?off button exclusively to prevent log? off problems, Fiserv has since instructed Bessemer staff members never to use the log-off button. 92. Bessemer?s staff members have reported frequent latency with the Charlotte teller platform. Fiserv has blamed the Credit Union?s intemet connection, the amount of RAM in the Credit Union?s computers, the way the Credit Union staff members were using the computers, the failure of the Credit Union?s staff to log off at lunchtime, the need to reboot the server every Sunday, and a variety of possible equipment?related issues. Fiserv?s finger?pointing and re?exive ?blame the customer? responses to these issues have caused Bessemer to incur losses for obtaining unneeded goods and services. Eventually, Fiserv conceded that this issue was due to its own service not responding properly. 93. All of Bessemer?s networked front-line printers will periodically step working, even when the software itself appears to be working. This issue prevents the Credit Union from printing receipts, checks, or other documents for members. As a result, the Credit Union has been unable to provide members with receipts or checks documenting the members? transactions, and the Credit Union is, therefore, unable to serve its members. 94. The Credit Union is consistently blocked from printing checks on the check printer. The Credit Union has continuous check activity, which the Credit Union logs in its system so that its checks are numbered consecutively. However, periodically, front-line tellers -23- are suddenly unable to print the checks, unless all employees reboot their computers. When the Credit Union informed Fiserv of the issue, Fiserv?s only solution was to have the Credit Union join a WebEx to replicate the issue. The Credit Union has done this at least 10 times, and the issue has yet to be ?xed. 95. On many occasions, including in or around May 2018, Fiserv?s system returned errors and failed to provide correct information in response to Bessemer?s attempts to look up members? account numbers, causing disruption of service to the members. 96. On many occasions, including in or around July 2018 through April 2019, Bessemer informed iserv that it received ongoing error messages related to the Access AdvantageS platform. Though iserv purported to solve the issue by moving Bessemer?s data to another server, the errors continued, causing disruption to Bessemer?s operations. As a result of these errors, sometimes transactions are processed, but a receipt of the transaction is not generated. Sometimes, the system reports that a transaction has failed, but the transaction actually goes through. iserv has informed Bessemer that multiple credit unions on different iserv core processing systems have experienced this problem. 97. Bessemer?s system continues to have delays and issues with programs not loading properly or continuing to freeze, which results in tellers and employees being unable to complete their tasks and meet the Credit Union?s members? needs in a timely manner. 98. The entire Fiserv system will periodically crash, be unavailable or not provide requested information, and both members and employees are then unable to process any transactions, access funds, or get truthful information concerning account records. 5 Access Advantage ?easily enables real-time integration of third-party applications with Portico,? a Fiserv operating platform. See (version in effect on August 23, 2018). -29- 99. On or about November 21, 2017, a business listing was uploaded by the United States Treasury Department?s Financial Crimes Enforcement Network The Credit Union downloaded the business listing ?le. When the Credit Union attempted to upload the ?le on Con?rmIT (F iserv?s website that was supposed to be available), the Credit Union repeatedly received an error message, and the upload failed. Fiserv?s errors frustrated Bessemer, consumed unnecessary time and resources, and caused delays in the Credit Union?s efforts to comply with applicable law. 100. In or around May 2018, Bessemer was unable to run a review using Fiserv?s Con?rmIT product, and Bessemer received an error message when trying to upload both the individual and the business listings. This issue has occurred many times previously. Bessemer attempted to work with Fiserv to ?nd a resolution, but no explanation or permanent solution was provided to Bessemer. As a result of its inability to comply with this regulatory request, Bessemer may be subject to penalties based on Fiserv?s failure to act. Fiserv?s failures are directly impairing Bessemer?s ability to comply with legally mandated processes, despite assurances that the Fiserv system would provide compliance. 101. Despite representations that it would be accessible for required reporting, Fiserv scheduled maintenance of its eFichency platform on the same day that federally mandated reports were due to be ?led, with knowledge that Bessemer and other credit unions would require access to eFichency for assistance in compiling and completing those reports. On other occasions, eFichency is frequently nonfunctioning or unavailable. Fiserv Has Engaged in Bad Faith and Deceptive Practices 102. Fiserv has repeatedly acted in bad faith and deceptively. 103. Fiserv represented that it would utilize suf?cient data security protocols and mechanisms to protect and accurately report Bessemer?s member information. -30- 104. Bessemer stored its member information in Fiserv?s systems based upon Fiserv?s representations. 105. iserv falsely represented that its systems were secure and that Bessemer?s member information would remain private and accurate. Fiserv knew or should have known that it did not employ reasonable, industry standard, and appropriate measures to ensure the security and accuracy of member information. 106. Even without these misrepresentations, Bessemer was entitled to presume, and did expect, that iserv would take appropriate measures to keep Bessemer?s member information safe and accurate. Fiserv did not disclose at any time that Bessemer?s member information was vulnerable to hackers or falsi?cation because Fiserv?s security and recordkeeping measures were inadequate, and Fiserv was the only one in possession of that material information, which it had a duty to disclose. Fiserv misrepresented, both by af?rmative conduct and by omission, the safety and soundness of its many systems and services, speci?cally the security and accuracy thereof, and their ability to safely store and process Bessemer?s member information. iserv also engaged in deception by failing to implement reasonable and appropriate security measures or to follow industry standards for data security, and by failing to comply with its own policies and agreements. 107. As alleged above, Fiserv knew its data security and recordkeeping measures were grossly inadequate by, at the absolute latest, reports of security compromises and falsi?ed customer information coming to light, exposing Fiserv?s lax and inadequate approach to data security and recordkeeping. At that time, Fiserv was on notice that its systems were extremely vulnerable to attack and that the account records and information it stores was subject to falsi?cation?facts Fiserv already knew given its previous exposures and problems. -31- 108. In response to all of these facts, Fiserv failed to properly respond or warn Bessemer about these problems and, instead, openly represented that Fiserv had adequate security and recordkeeping practices and protocols. 109. Fiserv had an obligation to disclose to Bessemer that its members were easy targets for hackers and that Fiserv was not implementing apprOpriate measures to protect them and the accuracy and safety of their information. 110. Fiserv did not do these things. Instead, Fiserv willfully deceived Bessemer by concealing the true facts concerning its data security and recordkeeping, which Fiserv was obligated to, and had a duty to, disclose. Fiserv had exclusive knowledge of undisclosed material facts, namely, that Bessemer?s member information in Fiserv?s custody was unsecure and subject to unauthorized alteration and falsi?cation, and Fiserv withheld that knowledge from Bessemer. Additionally, Fiserv made numerous representations following the prior data security vulnerabilities to assure its customers that their member information and other data was safe, and that Fiserv was dedicated to maintaining that security. 111. Had Fiserv disclosed the true facts about its poor data security and recordkeeping practices, Bessemer would have taken measures to protect itself. Bessemer justi?ably relied on Fiserv to provide accurate and complete information about its data security and processing of Bessemer?s member information, and Fiserv did not do so. 112. Alternatively, given the security lapses and other problems in iserv?s services and Fiserv?s refusal to take measures to detect, much less ?x them, Fiserv simply should have shut down the services Bessemer was using and returned Bessemer?s member information so that it could transition to another service. Independent of any representations made by Fiserv, Bessemer justi?ably relied on Fiserv to provide a service with at least minimally adequate -32- measures to protect the con?dentiality and integrity of Bessemer?s member information, and Bessemer justi?ably relied on iserv to disclose facts that would undermine that reliance. 113. Rather than ceasing to offer a clearly unsafe and defective service or disclosing to Bessemer that its services were unsafe and that member information was exposed to theft and falsi?cation on a grand scale, Fiserv continued on and concealed any information relating to the inadequacy of its security and service offerings. 114. In addition, iserv repeatedly has issued invoices that are erroneous, are false, and overstate the amount the Credit Union actually owes iserv. The accuracy of Fiserv?s invoices is very important because Fiserv purports to prohibit Bessemer from making any deduction or setoff from amounts invoiced by iserv, even though Fiserv knows its invoices are false. For example, Fiserv wrongly billed the Credit Union for CD Processing,? after the Credit Union explicitly asked Fiserv to stop providing this service. Yet, for at least the following seven months after Fiserv st0pped performing this service for Bessemer, Fiserv nevertheless continued to invoice Bessemer for this cancelled service. Fiserv invoiced the Credit Union an extra $100 per month for a backup connection that never worked. Fiserv ?nally ceased charging the Credit Union for this backup connection in May 2017, yet Fiserv has not refunded these improperly charged fees. Invoice charges in December 2018 included billing for IRA Fair Market Value reporting for 121 accounts at $0.32 per account, while the January 2019 invoice includes billing for 115 IRA accounts at $0.336 per account. Fair Market Value reporting is done only once per year, at year?end. Invoice totals also appear to be incorrectly re?ected on the invoices, as the total of an invoice frequently does not equal the sum of the line items or amounts due to Fiserv. -33- Fiserv has continued to invoice Bessemer for services after Bessemer terminated the Master Agreement and after Fiserv refused to return Bessemer?s account records and information as requested. Even though Fiserv agreed to deconvert Bessemer from its system, Fiserv?s invoices to Bessemer re?ected fees for the period occurring after the deconversion, such as an invoice sent to Bessemer in January 2019 for a year?s worth of multi-factor authentication. Items that Fiserv had agreed to provide without cost appear on bills, in an express disregard of Fiserv?s representations to Bessemer. For example, Fiserv has billed the Credit Union for items that Fiserv agreed to pay for, including equipment and travel expenses related to attempts to address connectivity issues. Additionally, Fiserv has sent the Credit Union a large bill for statement mailing services nearly one year late. Moreover, Fiserv?s November 2017 invoice to the Credit Union includes a line item for Vacation Club withdrawals and Christmas Club withdrawals, which should have been invoiced months earlier. The amounts for these withdrawals are also incorrect and inconsistent with prior invoices from Fiserv. 115. In or around August 2016, Fiserv insisted that the Credit Union add increased memory and a ?rewall to its system, based on Fiserv?s assurances that these upgrades would ?x various issues. In fact, these hardware upgrades failed to resolve the issues that Fiserv represented they would 116. Fiserv has instructed Bessemer to install additional memory on computers that were ordered for Bessemer by Fiserv and according to Fiserv?s speci?cations. Fiserv represented that purchasing and installing new CAT6 cables for all workstations would provide relief for some issues the Credit Union was facing, but that has not been the case. -34- 117. Bessemer, in reliance on Fiserv?s representations, procured and installed a new hub, and a new Cisco 24 port switch in an effort to solve connectivity problems. Bessemer also upgraded its internet speed. While Fiserv represented to Bessemer that obtaining these goods and services would ?x various problems, that has not been the case. 118. Fiserv forced the Credit Union to transition to its Loancierge6 program with very little notice, and the program has been riddled with bugs and defects. The Credit Union wished to stay with Loan Advantage for its loan processing, but Fiserv indicated that it was not willing to invest in the programming changes necessary to correct calculation problems that had been noticed in Loan Advantage. Fiserv refused to support that software and insisted that the Credit Union pay thousands of dollars in implementation fees fOr continued viable use of this functionality through an ?upsold? additional Fiserv product. Unfortunately, Loancierge has similar defects. 119. Fiserv?s Sellstation/Charlotte Teller7 and other Fiserv software platforms have connectivity issues, causing the system to be down repeatedly, together with other serious defects affecting Bessemer?s operations. In particular, the freezing of the software seemed to become more prominent when Bessemer was handling an increased number of transactions, which meant that on its busiest days, the Credit Union suffered the worst issues with the software. Despite Bessemer having informed iserv of the issue, as recently as June 27, 2018, the software was severely lagging, causing a serious delay in servicing members. At the Loancierge is a loan processing system that purports to provide member information to a credit union ?on demand? and with ?first-in?class functionality with a native, browser-based interface users can access anytime, anywhere.? See unions/loanciergeaspx (last visited April 25, 2019). Sellstation/Charlotte Teller is Fiserv?s transaction processing software that is a part of Fiserv?s Charlotte core processing system. -35- suggestion of iserv, the Credit Union has made a signi?cant investment to have both a Public (Internet) and a Private (MPLS) connection to Fiserv in order to avoid inconvenience to Bessemer?s members. However, the problem is at the host (Fiserv) rather than with the type of connection Bessemer has. 120. Bessemer asked Fiserv initially for a proposal to implement ?real-time? negative balance reporting through the MasterCard debit network, and Fiserv responded that this update would be ?simple? and would require a one?time charge of only $37 to make negative balances within the ATM/debit system available. Bessemer, in reliance on this representation by Fiserv, began a six-week implementation process with its Courtesy Pay provider as a result of Fiserv?s assurances that the update would be ?simple? and cost ef?cient, and would require a charge of only $37. Four weeks into the process, the Credit Union tested a Courtesy Pay debit card at an ATM, and the transaction was unsuccessful. When the Credit Union informed Fiserv of the defect, Fiserv responded that it ?just realized? that the Credit Union?s debit cards and debit program were not ?real-time,? even though iserv was previously aware of this information. Fiserv then indicated that an additional $3,500 fee, along with increased support costs, would be required to obtain the functionality originally promised by iserv at a cost of $37. 121. The Of?ce of Foreign Assets Control scans are mandated to ensure that ?nancial institutions such as Bessemer are in compliance with regulations designed to curb transactions that may funnel resources to terrorists, narcotics traf?ckers, and other problematic individuals and entities. Since at least 2005, the biweekly scans had been automatic, and Fiserv?s system would send an automatic email to indicate that the scan had been done and to note whether any further research was needed for potential ?hits? on the OFAC sanctions lists. Recently, when Bessemer stopped receiving notice of the automatic scans, Fiserv indicated that ?36- it no longer would perform the required scans. Fiserv, however, failed to provide the required written notice to Bessemer regarding its to change and/or discontinuance of this process. Instead, Fiserv stopped performing this account processing service altogether without providing proper notice to Bessemer. From April 1, 2017 through July 27, 2017, Fiserv did not perform OF AC system scans. When the Credit Union asked Fiserv about an alternative procedure in July 2017, iserv tasked the Credit Union with manually performing OFAC scans through a burdensome process requiring 18 pages of instructions for manual work that involve Bessemer personnel manually editing text ?les, manipulating Excel ?les, and opening multiple windows and lists in Sellstation. This procedure is not only burdensome for Credit Union personnel, but it is inef?cient, impractical, and a waste of Credit Union resources. Fiserv, however, previously represented to Bessemer that iserv would provide this ?mctionality, and it has continued to invoice Bessemer for these OFAC scans, even though Fiserv?s system was no longer performing this service. 122. Even though Fiserv had knowledge that its system was malfunctioning, insecure, and reporting false information to the Credit Union and its members, Fiserv failed to properly address these issues, including by failing to put the Credit Union on notice of them, failing to report accurate information, refusing to return the Credit Union?s information to it, and insisting that the Credit Union continue to receive services from Fiserv on an exclusive basis. 123. The Credit Union frequently opens up support requests with Fiserv, sometimes as frequently as each business day. Fiserv has improperly closed the Credit Union?s technical support requests without resolving them, or it has falsely mischaracterized issues reported to iserv. When the Credit Union reports an issue, Fiserv routinely marks these reports as either ?no priority? or ?medium priority,? despite the issues being of high priority to the Credit Union. -3 7.. Fiserv unilaterally makes these priority determinations and considers these matters closed without providing solutions. Support requests are routinely closed after a period of time even though no resolution has been provided. Fiserv?s responses to support requests sometimes include verbiage to which the Credit Union can ?Accept? or ?Reject? Fiserv?s response. Yet even when the Credit Union rejects a ?proposed solution,? Fiserv improperly closes the support request. Similarly, iserv has falsely mischaracterized the Credit Union as being satis?ed with iserv?s efforts to attempt to address problems, when that has not been the case. Fiserv Fails to Properly Respond to Bessemer?s Claims and Reneges on a Settlement Agreement 124. Prior to seeking redress in court, Bessemer availed itself of the Master Agreement?s dispute-resolution provision, which requires the parties to work in good faith to resolve disputes prior to commencing litigation. 125. Exhibit 2 hereto is a true and correct copy of Bessemer?s notice of breach, which invoked the dispute?resolution provision of the Master Agreement. 126. As part of the notice of breach, Bessemer issued an audit demand for several categories of documents that Fiserv was required to produce to Bessemer under various provisions of the Master Agreement. These requested documents included documents related to the amounts Fiserv invoiced Bessemer, and documentation relating to the security of Bessemer?s records and information in Fiserv?s custody. Auditing these documents was important to Bessemer because, as a regulated ?nancial institution, it is required to audit and manage its vendor relationships, improper charges have appeared on Fiserv invoices, and Fiserv has previously compromised the security of Bessemer?s account records and information and permitted them to be accessed by unauthorized individuals. iserv, however, refused to timely participate in the audit and failed to provide the requested audit documents. Accordingly, Fiserv -38? was unable to establish that its invoices were proper or to provide adequate, let alone any, assurances that Bessemer?s account records and information were being properly safeguarded in accordance with applicable requirements. 127. Exhibit 3 hereto is a true and correct copy of Bessemer?s supplemental notice of breach. 128. Under the dispute?resolution provision of the Master Agreement, Fiserv was required to designate an of?cer or other management employee with authority to bind Fiserv to meet with Bessemer to resolve Bessemer?s claims. Fiserv, in breach of its express duty under the Master Agreement, did not participate in this process as required by the Master Agreement, much less in good faith. On the contrary, Fiserv delayed, waiting until April 5, 2018?months a?er Bessemer provided its notice of breach?to designate a representative. Then, the individual representative Fiserv designated to meet with Bessemer lacked adequate knowledge of the relevant events and appeared to lack the suf?cient authority to bind Fiserv to any good-faith resolution of Bessemer?s claims, as required by the Master Agreement. That individual did not make a suf?cient effort to resolve the dispute, nor did he do so within the 30?day deadline, as required by the Master Agreement. After the required dispute-resolution meeting, only then did iserv inform Bessemer that the ?cure team? had been assembled only recently, and that it would require an additional two-week time frame for a ?next discussion? in advance of arriving at a satisfactory resolution. To date, that proposed time has elapsed, and a satisfactory resolution has still not been provided. Fiserv has further failed to take appropriate actions, including making proper adjustments to its systems, to address Bessemer?s claims. 129. On April 11, 2018, Bessemer sent Fiserv a notice of termination, indicating that it was providing notice that Bessemer was terminating the Master Agreement. Exhibit 4 hereto is -39- a true and correct copy of Bessemer?s notice of termination. Bessemer demanded that Fiserv return Bessemer?s ?les and information in a reasonable, commercially usable form and that Fiserv take appropriate measures to ensure an orderly transition of services to the successor vendor(s) that Bessemer may select. In response, however, iserv has refused to return the ?les and information in response to Bessemer?s demand. 130. iserv has continued to invoice Bessemer for services ?performed? after Bessemer sent Fiserv the notice of termination, while also continuing to withhold Bessemer?s account records and information as an apparent bargaining chip. Exhibit 5 hereto is a true and correct COpy of the dispute letter concerning a post?termination invoice Fiserv issued to Bessemer. 131. In this dispute letter, Bessemer requested that Fiserv provide audit records substantiating its invoices. 132. Fiserv again was nonreSponsive to Bessemer?s audit demands. Accordingly, on July 18, 2018, Bessemer demanded that Fiserv refund the amounts that it was unable to substantiate with supporting documentation. Exhibit 6 hereto is a copy of this correspondence. 133. Fiserv continued to delay, responding to the Credit Union?s audit demands for the ?rst time on September 11, 2018, but Fiserv?s response was an incomplete, perfunctory summary and contrived by Fiserv for litigation purposes. Exhibit 7 hereto is a copy of Fiserv?s response, with attachments omitted. 134. Bessemer responded by indicating numerous de?ciencies in Fiserv?s audit documentation and requested that Fiserv provide suf?cient audit documentation, including accurate copies of the documents Fiserv referred to in its September 11, 2018 summary. Exhibit 8 hereto is a copy of this correspondence. -40- 135. Fiserv responded later that day, refusing to provide the requested audit records. Exhibit 9 hereto is a copy of this correspondence. 136. On the heels of a litany of misconduct by Fiserv, including its failure to provide requested information while keeping Bessemer?s member information hostage in an insecure environment vulnerable to security risks, Bessemer commenced a replevin action in this Court to recover Bessemer?s member information from Fiserv. 137. Bessemer and iserv agreed to settle the replevin action in accordance with an October 19, 2018 letter agreement. 138. It was understood that the agreement settling and the dismissal of the replevin action ?would not affect Bessemer?s other pending action,? this action. Under this agreement, Fiserv was obligated to work with Bessemer to deconvert its member information so that it could be transitioned to a successor vendor. 139. Exhibit 10, to be ?led under seal separately from this Complaint but referenced herein, is a true and correct copy of this letter agreement. 140. Given the security vulnerabilities and other problems Fiserv was having, Bessemer desired to deconvert its account records and information from Fiserv to Bessemer?s successor vendor at the earliest possible opportunity. In the letter agreement, however, Fiserv represented that ?given the lead time required, deconversion is not likely to happen until near the June 30, 2019 expiration of the Master Agreement.? Fiserv, however, falsely represented to Bessemer that it would comply with the terms of this letter! agreement and that such an expansive lead time was required, when Fiserv had no intent to honor that agreement or the need for such an expansive lead time. Fiserv made these misrepresentations to falsely induce Bessemer into accepting a settlement agreement and dismissing the replevin action ?led in this Court, and -41- Bessemer justi?ably relied on Fiserv?s misrepresentations when deciding whether to enter into that agreement and dismiss the replevin action. 141. Fiserv has repudiated the letter agreement by refusing to accept Bessemer?s tender of performance, refusing to perform as required by that agreement, and conditioning Fiserv?s performance under that agreement on Bessemer?s assent to additional and different terms. For example, Fiserv insisted that Bessemer make an advance deposit of certain fees and charges before the deadline contained in the letter agreement for Bessemer to pay them, then Fiserv stopped work on the deconversion and refused to provide Bessemer?s successor vendor a test ?le while insisting that Bessemer pay a ?deconversion charge? that was not included in the letter agreement and that Fiserv changed from $40,000 to $45,000, and then back to $40,000. 142. After attempting to extort additional fees from Bessemer for weeks, Fiserv later retreated on some of its demands and to agreed re-commence the deconversion. However, but for iserv?s duplicity and illegitimate cessation of work while trying to extract additional money from Bessemer, Bessemer would have achieved an earlier deconversion to a superior vendor. iserv?s representation in the letter agreement that ?given the lead time required, deconversion is not likely to happen until near the June 30, 2019 expiration of the Master Agreement? is false. Rather, iserv misrepresented the need for such an expansive lead time in an attempt to have time to re?negotiate the terms of the settlement, while holding Bessemer?s data hostage as a bargaining chip. Fiserv made these misrepresentations to falsely induce Bessemer into accepting a settlement agreement and dismissing the replevin action ?led in this Court, and Bessemer justi?ably relied on Fiserv?s misrepresentations when deciding whether to enter into that agreement and dismiss the replevin action. -42- First Claim for Relief Breach of Contract (Against Defendant Fiserv Solutions Only) 143. Bessemer incorporates and realleges the preceding paragraphs. 144. The Master Agreement and the October 19, 2018 letter agreement are valid and binding obligations of Fiserv Solutions. 145. In addition to the express terms of those contracts, the implied covenant of good faith and fair dealing applies to iserv Solutions?s contracts with Bessemer. When reasonably read, the terms of these contracts imply certain other obligations that are necessary to vindicate the parties? apparent intentions and reasonable expectations. By entering into the contracts, Fiserv Solutions impliedly covenanted that it would act in good faith, including by providing account processing and deconversion services suitable for the proper functioning of a credit union and issuing invoices that were legitimate, bona ?de, good faith, and supported. 146. Bessemer has duly performed all obligations and satisfied all conditions required of it under its contracts with iserv Solutions, except for those that were waived or excused by Fiserv Solutions. 147. Bessemer remains ready, willing, and able to perform its obligations under the October 19, 2018 letter agreement. 148. Fiserv Solutions has materially breached its obligations under its contracts with Bessemer by failing to perform as required, repudiating its obligations, and breaching the implied covenant of good faith and fair dealing. 149. Fiserv Solutions has demonstrated a lack of good faith and fair dealing by, among other things, unreasonably failing to provide account processing and providing deconversion services suitable for the proper functioning of a credit union and issuing improper invoices and payment demands to Bessemer overstating the amounts Bessemer owes (while -43- correspondingly prohibiting Bessemer from asserting any right of deduction or setoff from amounts invoiced), thereby depriving Bessemer of the bene?t of the bargains the parties struck. 150. Fiserv Solutions?s conduct is inconsistent with the terms and purposes of its contracts with Bessemer. Fiserv Solutions?s lack of good faith and fair dealing has had the effect of preventing Bessemer from receiving the reasonably expected bene?t of the parties? bargain by, among other things, unreasonably and unnecessarily depn'ving Bessemer of the bene?t of the account processing and deconversion services which were to be provided by Fiserv Solutions, exposing Bessemer to vastly greater harm than it had bargained for and well outside of commercially reasonable norms, and causing Bessemer to remit payments to Fiserv Solutions that are not justly due Fiserv Solutions or supported by any good-faith basis. 151. Fiserv Solutions?s contract breaches were caused by bad faith and its willful, malicious, reckless, 0r grossly negligent conduct, were not reasonably contemplated by Bessemer, were so unreasonable as to constitute an abandonment of Fiserv Solutions?s agreements, and were breaches of Fiserv Solutions?s fundamental obligations. 152. Indeed, despite a pattern of recurring and known breaches, Fiserv Solutions was grossly negligent and reckless, failed to use even a slight degree of care, and acted with complete disregard for Bessemer?s rights. Although Fiserv Solutions had knowledge that its system was malfunctioning, reporting false information to Bessemer, and susceptible to vulnerabilities that compromised the con?dentiality of member information, Fiserv Solutions failed to address properly these issues, including by failing to put Bessemer on notice of them, and refusing to return Bessemer?s account records and information to it so that Bessemer could transition to an alternative provider. -44_ 153. As a result of iserv Solutions?s contract breaches, Bessemer has suffered and will continue to suffer damages and harm. WHEREFORE, Bessemer respectfully requests that this Court: enter judgment in Bessemer?s favor for all damages allowed by law?? including, without limitation, compensatory, consequential, incidental, reliance, restitutionary, delay, treble, and punitive?in amounts to be determined at trial and that exceed the amount speci?ed in Rule 4301 for submission to a board of arbitrators; (ii) award Bessemer its attorneys? fees, its costs, and the maximum prejudgment and postjudgment interest allowed by law; issue an order of speci?c performance requiring Fiserv Solutions to speci?cally perform its obligations to Bessemer; (iv) issue an injunction to prevent Bessemer from suffering or continuing to suffer harm; and grant Bessemer any further relief that may be necessary to achieve justice or that is deemed proper and appropriate under the circumstances by this Court. Second Claim for Relief Negligence 154. Bessemer incorporates and realleges the preceding paragraphs. 155. Fiserv owed a duty to Bessemer because in af?rmatively collecting, storing, and processing sensitive personal and ?nancial information on intemet?accessible computer systems, Fiserv owed a duty to Bessemer to exercise reasonable care under the circumstances, which includes using reasonable measures to protect the information from the foreseeable risk of a data -45- breach, unauthorized third-party access, or loss or alteration. Troves of highly sensitive personal and ?nancial data are stored on intemet?accessible systems administered by Fiserv and are obvious targets for cyber criminals. A reasonable entity in Fiserv?s position should foresee that a failure to use reasonable security measures, or a failure to maintain and provide complete and accurate information, can lead to serious ?nancial consequences. Accordingly, in collecting, storing, and processing Bessemer?s member information on intemet?accessible computer systems, Fiserv owed a duty to exercise reasonable care to protect Bessemer against unreasonable risks of harm arising out of those acts. Fiserv, as the entity with custody of that information, was the only party that realistically could ensure that its systems were suf?cient to properly handle and protect the sensitive member information that Bessemer entrusted to Fiserv. 156. Fiserv also owed a duty to Bessemer because iserv was certain that Bessemer would suffer, and Bessemer did in fact suffer and will continue to suffer, monetary and reputational injury. 157. iserv also owed a duty to Bessemer because there is a close connection between Fiserv?s conduct and Bessemer?s injuries insofar as Bessemer would not have been injured but for Fiserv?s negligence. 158. Fiserv also owed a duty to Bessemer because there is a strong public policy interest in banking given that it is an essential service on which consumers must rely, as well as a strong public policy interest in preventing iserv from behaving in such a reckless, careless, and negligent fashion and from shifting blame to others. 159. Fiserv ?lrther owed a duty to Bessemer because the burden on Fiserv is minimal and the consequences in the community are positive as a result of imposing a duty on Fiserv under these circumstances. -46? 160. Fiserv also owes a duty because, upon information and belief, there is insurance available for this risk. Moreover, Fiserv, which reported annual revenues in excess of $5 billion, can afford any damages awarded by the trier of fact. 161. Through its acts, omissions, concealments, and misrepresentations, Fiserv failed to act with the care that a reasonably prudent person would exercise in the same or similar circumstances. 162. Fiserv was grossly negligent and reckless, failed to use even a slight degree of care, and acted with complete disregard for Bessemer?s rights. 163. Without limitation, Fiserv failed to institute appropriate protective measures to maintain the safety, security, and accuracy of the con?dential member information to which it was entrusted. 164. Fiserv failed to inform or warn Bessemer of at least the following: 0 that Fiserv had failed to enact appropriate measures to protect the safety, security, and accuracy of Bessemer?s member information; 0 that in the absence of such measures, Fiserv would permit unauthorized individuals to access, delete, or modify Bessemer?s member information, and that member information provided to authorized individuals would not be accurate; 0 that Bessemer should independently take any protective measures to ensure that the safety, security, and accuracy of its member information would be maintained; and 0 that Bessemer?s member information had been, or was reasonably believed to have been, compromised or falsely reported. 165. Fiserv?s negligence has occurred on many occasions during the course of the parties? relationship and after Bessemer provided a notice of termination of the Master Agreement on April 11, 2018. _47_ 166. Fiserv?s acts, omissions, concealments, and misrepresentations violate broad social duties that are separate and distinct from, and collateral to, any speci?c executory contractual promises Fiserv Solutions made to Bessemer. The duties violated by Fiserv are in the nature of a tort because the relevant duties the duties to act in a reasonable, nonnegligent manner) arose regardless of any contract between Fiserv Solutions and Bessemer, and Fiserv has violated such duties after Bessemer provided a notice of termination of the Master Agreement on April 11, 2018. Accordingly, the duties violated by Fiserv are de?ned by the social policies embodied in the law of torts. 167. Fiserv?s negligence has harmed Bessemer, including physical harm in the form of loss of and alterations to Bessemer?s account records and information. These records and information are stored in a tangible format in information technology systems or other media administered by Fiserv. Fiserv Solutions acknowledged that Bessemer?s records and information ?shall remain the property of [Bessemer]? (Master Agreement Further, such property is identi?able with, merged into, or of the kind customarily identi?ed with and merged into documents. Indeed, such records and information embody and represent, without limitation, the title to the shares Bessemer members own as well as debts and other obligations of Bessemer to its members. Such records and information thus embody, represent the title to, and are essential to protecting and enforcing property rights and other legally enforceable obligations. Moreover, such records and information were created and maintained as a result of Bessemer?s substantial investment of time, effort, and money. 168. As a direct and proximate result of Fiserv?s negligence, Bessemer has suffered and will continue to suffer damages and harm. Such damages and harm include payments made to iserv for services that were not properly performed, damage to Bessemer?s business, being -48- placed at an imminent, immediate, and continuing increased risk of harm from utilizing inaccurate information and being victimized by identity theft and fraud, and time and effort needed to mitigate the adverse actual and potential impact of Fiserv?s acts, omissions, concealments, and misrepresentations, including providing increased security against and investigating fraudulent or inaccurate transactions, cancelling and reissuing payment cards, imposing withdrawal and transactional limits on accounts, and losing interest revenue and fees due to reduced account usage. WHEREFORE, Bessemer respectfully requests that this Court: (ii) (iV) enter judgment in Bessemer?s favor for all damages allowed by law? including, without limitation, compensatory, consequential, incidental, reliance, restitutionary, statutory, delay, treble, and punitive?in amounts to be determined at trial and that exceed the amount speci?ed in Rule 4301 for submission to a board of arbitrators; award Bessemer its attorneys? fees, its costs, and the maximum prejudgment and postjudgment interest allowed by law; issue an injunction to prevent Bessemer from suffering or continuing to suffer harm; and grant Bessemer any further relief that may be necessary to achieve justice or that is deemed proper and appropriate under the circumstances by this Court. Third Claim for Relief Unfair and Deceptive Trade Acts and Practices 169. Bessemer incorporates and realleges the preceding paragraphs. -49- 170. As a credit union, Bessemer is a not-for-pro?t cooperative owned and controlled by individual consumers who pool their resources to provide credit to one another. Bessemer?s purpose, as expressed in its bylaws, is to be ?a member-owned, democratically operated, not-for- pro?t managed by a volunteer board of directors, with the speci?ed mission of meeting the credit and savings needs of consumers, especially persons of modest means.? Bessemer thus exists to serve its members and their individual consumer savings needs, rather than to engage in business activities that generate pro?ts. Further, the extent of Bessemer?s activities is limited by its bylaws and applicable law, which generally restrict Bessemer to conducting activities necessary to perform its not-for-pro?t, consumer?service mission. Accordingly, the relevant goods and services provided by Fiserv Bessemer?s online banking website and bill payment service) are consumer-oriented and primarily for the personal, family, or household purposes of Bessemer?s members, who are individual consumers belonging to a cooperative. Indeed, such members are intended to benefit from Fiserv?s relevant goods and services, and such consumers receive certain of such goods and services directly from Fiserv for the members? personal, family, or household purposes. 171. As set forth in the preceding paragraph and incorporated herein by reference, by and through its acts, omissions, concealments, and misrepresentations, Fiserv violated nonfederal laws prohibiting unfair and deceptive trade acts and practices by engaging in acts and practices that materially affect consumers at large, including Bessemer and its several thousand members who are individual consumers. These acts and practices constitute a pattern of behavior on the part of Fiserv, pursued as a wrongful business practice, that has victimized and continues to victimize consumers, including not-for-pro?t cooperatives owned by individual consumers. -50- 172. Fiserv?s unlawful acts and practices include, without limitation: causing likelihood of confusion or of misunderstanding as to the source, sponsorship, approval, or certi?cation of goods and services that iserv provided or contemplated providing to Bessemer?s members; representing that its goods and services have sponsorship, approval, characteristics, uses, bene?ts, or quantities that they do not have; falsely representing that its goods and services are of particular standards, qualities, or grades; advertising goods or services with the intent not to sell them as advertised; (6) advertising goods and services with the intent not to supply reasonably expectable public demand of Bessemer?s members and the other individual end-user consumers on Fiserv?s shared systems, without adequate disclosures of quantity limitations; making false and misleading statements of fact concerning the reasons for, existence of, or amounts of prices and price reductions, including failing to clearly set forth prices in a manner in which can reasonably be ascertained; failing to comply with the terms of written guarantees or warranties provided prior to or after contracts for the purchase of goods and services are made; knowingly misrepresenting that services, replacements, or repairs are needed when they are not needed; -51.. making repairs, improvements, or replacements on tangible, real, or personal property, of a nature or quality inferior to or below the standard of that agreed to in writing; and engaging in other fraudulent and deceptive conduct that creates a likelihood of con?ision or misunderstanding. 173. iserv?s acts, omissions, concealments, and misrepresentations are part of a pattern or practice that has harmed individual consumers, including thousands of individual consumers who are Bessemer?s members. Fiserv provides Bessemer and its members with a standardized account processing system that is shared with other Fiserv customers, and iserv adopts standardized coding in performing its services. Indeed, according to Fiserv, it supports more than 80 million online banking end users. Further, Fiserv has employed standardized policies and business practices. In addition, some of iserv?s acts, omissions, concealments, and misrepresentations were communicated to the public at large as part of an extensive marketing scheme conducted through the publicly accessible website Thus, Fiserv?s acts, omissions, concealments, and misrepresentations are part of a pattern or practice directed at the public generally and that has harmed Bessemer and its members (who are individual consumers), as well as other ?nancial institutions that are customers of Fiserv and those ?nancial institutions? customers (who are individual consumers). 174. Fiserv?s acts, omissions, concealments, and misrepresentations are fraudulent in that they are likely to mislead reasonable consumers acting reasonably under the circumstances and they have deceived Bessemer, its members, and the public. For example, Fiserv has made numerous misrepresentations about consumers? ?nancial account information, including the amounts consumers have on deposit with Bessemer, the amounts members owe Bessemer, the -52- amounts Bessemer owes its members, and the existence and status of members? accounts. As a further example, Fiserv has made numerous misrepresentations about the capabilities and prices of its service offerings, the security of con?dential information entrusted to Fiserv, the necessity for certain repairs or additional services, and the amounts Bessemer owes Fiserv as re?ected on iserv?s invoices or in Fiserv?s payment demands. As an additional example, Fiserv?s acts, omissions, concealments, and misrepresentations have undermined consumers? abilities to evaluate their market options and to make free and intelligent choices to receive services from Bessemer, thereby harming Bessemer by reducing the number of consumers who are able to, or desire to, receive services from Bessemer. 175. Bessemer and its members-consumers have relied, and continue to rely, on Fiserv?s acts, omissions, concealments, and misrepresentations to their detriment. For example, Bessemer has engaged in transactions with members, refused to engage in transactions with members (including withholding funds justly owing to members), or otherwise dealt with members based upon the false account records and information provided by Fiserv. As a further example, Bessemer has made overpayments to Fiserv based on Fiserv?s false representations on invoices that certain fees were due and owing to Fiserv, and Fiserv falsely represented the soundness and security of its system, inducing Bessemer and its members to entrust Fiserv with their sensitive information. 176. Fiserv?s acts, omissions, concealments, and misrepresentations are directly contradicted by information that either originated from or concerns Fiserv and its product and service offerings, and was thereby already known by Fiserv, or was provided to Fiserv by third parties such as Bessemer and its members, and such information was thereby known by Fiserv. Fiserv is responsible for knowing the existence and contents of information within its -53- custody and control. Accordingly, Fiserv?s acts, omissions, concealments, and misrepresentations were knowingly false when made or recklessly made without regard to their falsity. 177. Fiserv knew, or should have known in the exercise of reasonable care, that its acts, omissions, concealments, and misrepresentations were untrue, were misleading, and did deceive members of the general public, and that consumers and their cooperatives would rely, and did in fact rely, on Fiserv?s acts, omissions, concealments, and misrepresentations. 178. Fiserv?s acts, omissions, concealments, and misrepresentations offend established public policy and are immoral, unethical, oppressive, unscrupulous, and substantially injurious to consumers. 179. Fiserv?s unfair and deceptive trade acts and practices have occurred on many occasions during the course of the parties? relationship and after Bessemer provided a notice of termination of the Master Agreement with Fiserv Solutions on April 11, 2018. 180. Fiserv?s acts, omissions, concealments, and misrepresentations violate broad social duties that are separate and distinct from, and collateral to, any speci?c executory contractual promises iserv Solutions made to Bessemer. The duties violated by Fiserv are in the nature of a statutory claim because the relevant statutory duties arose regardless of any contract between Fiserv Solutions and Bessemer, and Fiserv has violated such duties after Bessemer provided a notice of termination of the Master Agreement on April 11, 2018. Accordingly, the duties violated by Fiserv are de?ned by the social policies enshrined by legislatures in enacting laws prohibiting deceptive trade acts and practices. -54- 181. Fiserv has bene?ted from Bessemer?s and its members? reliance on its acts, omissions, concealments, and misrepresentations by, among other things, causing Bessemer to enter into transactions that provided Fiserv with additional and excessive pro?ts, collecting amounts that were not justly due to it or legally chargeable against Bessemer and iserv?s other customers, and preventing Bessemer and its members from using vendors that are competitive with iserv. 182. In addition to the misconduct occurring in the Commonwealth of New York law governs the Master Agreement, and Fiserv conducts activities in other states and has caused harm to Bessemer and its members in other states. 183. Fiserv has engaged in unfair and deceptive trade acts and practices in violation of Unfair Trade Practices and Consumer Protection Law as well as New York?s General Business Law (NY. GEN. BUS. LAW 349, et seq. Ohio?s Deceptive Trade Practices Law (OHIO REV. CODE 4165.02, et seq.) and Consumer Sales Practices Act (OHIO REV. CODE 1345.01, et seq), Wisconsin?s Deceptive Trade Practices Act (WIS. STAT. 100.18, et seq.) and, to the extent applicable, other nonfederal laws of other states or jurisdictions. This complaint expressly excludes any claim arising under the United States Constitution, laws, or treaties of the United States. 184. As a direct and proximate result of Fiserv?s unfair and deceptive trade acts and practices, Bessemer has suffered and will continue to suffer damages and harm. Such damages and harm include payments made to Fiserv for services that were not properly performed, damage to Bessemer?s business, being placed at an imminent, immediate, and continuing increased risk of harm from utilizing inaccurate information and being victimized by identity theft and fraud, and time and effort needed to mitigate the adverse actual and potential impact of -55- Fiserv?s acts, omissions, concealments, and misrepresentations, including providing increased security against and investigating fraudulent or inaccurate transactions, cancelling and reissuin payment cards, imposing withdrawal and transactional limits on accounts, and losing interest revenue and fees due to reduced account usage. WHEREFORE, Bessemer respectfully requests that this Court: enter judgment in Bessemer?s favor for all damages allowed by law? including, without limitation, statutory, compensatory, consequential, incidental, reliance, restitutionary, statutory, treble, delay, and punitive? in amounts to be determined at trial and that exceed the amount speci?ed in Rule 4301 for submission to a board of arbitrators; (ii) award Bessemer its attorneys? fees, its costs, and the maximum prejudgment and postjudgment interest allowed by law; issue an injunction to prevent Bessemer from suffering or continuing to suffer harm; and (iv) grant Bessemer any ?nther relief that may be necessary to achieve justice or that is deemed proper and appropriate under the circumstances by this Court. Fourth Claim for Relief Fraud 185. Bessemer incorporates and realleges the preceding paragraphs. 186. As set forth in the preceding paragraphs incorporated herein by reference, on many occasions during the course of the parties? relationship and after Bessemer provided a notice of termination of the Master Agreement on April 11, 2018, Fiserv made false acts, omissions, concealments, and misrepresentations. For example, Fiserv has made numerous ?56- misrepresentations about consumers? ?nancial account information, including the amounts consumers have on deposit with Bessemer, the amounts members owe Bessemer, the amounts Bessemer owes its members, and the existence and status of members? accounts. As a further example, iserv has made numerous misrepresentations about the capabilities and prices of its service offerings, the necessity for certain repairs or additional services, the amounts Bessemer owes Fiserv as re?ected on Fiserv?s invoices, and the security of member information while in Fiserv?s custody. 187. Fiserv?s acts, omissions, concealments, and misrepresentations are directly contradicted by information that either originated from or concerns Fiserv and its product and service offerings, and was thereby known by Fiserv, or was provided to Fiserv by third parties such as Bessemer and its members, and such information was thereby known by Fiserv. Fiserv is responsible for knowing the existence and contents of information within its custody and control. Accordingly, Fiserv?s acts, omissions, concealments, and misrepresentations were knowingly false when made or recklessly made without regard to their falsity. 188. Fiserv knew or should have known that its acts, omissions, concealments, and misrepresentations were material to Bessemer and were made with the intent of misleading Bessemer into relying upon them, and Bessemer did so justi?ably rely. Indeed, as iserv acknowledges in its own Code of Conduct Business Ethics, iserv is committed to maintaining full, fair, accurate and timely accounting and business records. This protects our legal interests; and helps us preserve the trust of our clients.? See (version in effect on August 22, 2018). As further explained by Fiserv, ?[t]he unique nature of our business requires that all Fiserv computer systems and networks operate with the availability, ef?ciency, -57- reliability and integrity that are expected of systems that process ?nancial transactions and store ?nancial data. The company is ?rmly committed to operating and maintaining its technology assets in a manner that merits the trust and con?dence of the clients and consumers we serve.? Id. What?s more, as Fiserv explains, ?[b]ecause the principal market for our products and services is the regulated ?nancial services industry, the consequences of non?compliant offerings could seriously damage our reputation and ?nancial interests.? Id. Fiserv thus knew, in light of the unique nature of its business providing services to regulated ?nancial institutions, that a failure to supply full, fair, accurate, and timely information to a ?nancial institution such as Bessemer would not only undermine a client?s justi?able trust in Fiserv, but also cause serious damage and give rise to legal liability. 189. Bessemer has justi?ably relied on Fiserv?s acts, omissions, concealments, and misrepresentations to Bessemer?s detriment by, among other things, entering into transactions that provided Fiserv with additional and excessive pro?ts, paying Fiserv amounts that were not justly due to it or legally chargeable against Bessemer, and engaging in transactions with Bessemer?s members, refusing to engage in transactions with members (including withholding funds justly owing to members), or otherwise dealing with members based upon the false account records and information provided by iserv. 190. Fiserv?s acts, omissions, concealments, and misrepresentations violate broad social duties that are separate and distinct from, and collateral to, any speci?c executory contractual promises Fiserv Solutions made to Bessemer. The duties violated by iserv are in the nature of a tort because the relevant duties the duty to not make false acts, omissions, concealments, and misrepresentations) arose regardless of any contract between iserv Solutions and Bessemer, and Fiserv has violated such duties after Bessemer provided a notice of ?58- termination of the Master Agreement on April 11, 2018. Accordingly, the duties violated by Fiserv are de?ned by the social policies embodied in the law of torts. 191. By its acts, omissions, concealments, and misrepresentations, Fiserv defrauded Bessemer. 192. As a direct and proximate result of iserv?s fraud, Bessemer has suffered and will continue to suffer damages and harm. Such damages and harm include payments made to Fiserv for services that were not properly performed, damage to Bessemer?s business, being placed at an imminent, immediate, and continuing increased risk of harm from utilizing inaccurate information and being victimized by identity theft and fraud, and time and effort needed to mitigate the adverse actual and potential impact of Fiserv?s acts, omissions, concealments, and misrepresentations, including providing increased security against and investigating fraudulent or inaccurate transactions, cancelling and reissuing payment cards, imposing withdrawal and transactional limits on accounts, and losing interest revenue and fees due to reduced account usage. WHEREFORE, Bessemer respectfully requests that this Court: enter judgment in Bessemer?s favor for all damages allowed by law?? including, without limitation, compensatory, consequential, incidental, reliance, restitutionary, delay, treble, and punitive?in amounts to be determined at trial and that exceed the amount speci?ed in Rule 4301 for submission to a board of arbitrators; (ii) award Bessemer its attorneys? fees, its costs, and the maximum prejudgrnent and postjudgrnent interest allowed by law; issue an injunction to prevent Bessemer from suffering or continuing to -59- suffer harm; and (iv) grant Bessemer any further relief that may be necessary to achieve justice or that is deemed proper and appropriate under the circumstances by this Court. Fifth Claim for Relief Constructive Fraud 193. Bessemer incorporates and realleges the preceding paragraphs. 194. The parties were in a relationship of trust and con?dence in which Fiserv wielded superior knowledge, skill, expertise, and in?uence over Bessemer. Among other reasons, Fiserv controls Bessemer?s records and information, Fiserv refused to return Bessemer?s records and information to it, Fiserv was in an exclusive relationship with Bessemer, Fiserv prohibited Bessemer from performing certain services on its own account or through other service providers, and Fiserv sought to induce the dependence and trust of Bessemer. 195. As set forth in the preceding paragraphs incorporated herein by reference, on many occasions during the course of the parties? relationship and after Bessemer provided a notice of termination of the Master Agreement on April 11, 2018, Fiserv made false acts, omissions, concealments, and misrepresentations. For example, Fiserv has made numerous misrepresentations about consumers? ?nancial account information, including the amounts consumers have on deposit with Bessemer, the amounts members owe Bessemer, the amounts Bessemer owes its members, and the existence and status of members? accounts. As a further example, Fiserv has made numerous misrepresentations about the capabilities and prices of its service offerings, the necessity for certain repairs or additional services, the amounts Bessemer owes iserv as re?ected on Fiserv?s invoices, and the security of member information while in Fiserv? custody. -60- 196. Fiserv?s acts, omissions, concealments, and misrepresentations were false or recklessly made without regard to their falsity, and were material to Bessemer, and Bessemer did justi?ably rely on them. 197. Fiserv knew or should have known that its acts, omissions, concealments, and misrepresentations were material to Bessemer, and Bessemer did justi?ably rely on them. Indeed, as Fiserv acknowledges in its own Code of Conduct Business Ethics, ?Fiserv is committed to maintaining full, fair, accurate and timely accounting and business records. This protects our legal interests; and helps us preserve the trust of our clients.? See (version in effect on August 22, 2018). As further explained by Fiserv, ?[t]he unique nature of our business requires that all Fiserv computer systems and networks operate with the availability, ef?ciency, reliability and integrity that are expected of systems that process ?nancial transactions and store ?nancial data. The company is ?rmly committed to operating and maintaining its technology assets in a manner that merits the trust and con?dence of the clients and consumers we serve.? Id. What?s more, as Fiserv explains, ?[b]ecause the principal market for our products and services is the regulated ?nancial services industry, the consequences of non?compliant offerings could seriously damage our reputation and ?nancial interests.? Id. Fiserv thus knew, in light of the unique nature of its business providing services to regulated ?nancial institutions, that a failure to supply full, fair, accurate, and timely information to a ?nancial institution such as Bessemer would not only undermine a client?s justi?able trust in iserv, but also cause serious damage and give rise to legal liability. 198. Bessemer has justi?ably relied on Fiserv?s acts, omissions, concealments, and misrepresentations to Bessemer?s detriment by, among other things, entering into transactions ?6l- that provided Fiserv with additional and excessive pro?ts, paying Fiserv amounts that were not justly due to it or legally chargeable against Bessemer, and engaging in transactions with Bessemer?s members, refusing to engage in transactions with members (including withholding funds justly owing to members), or otherwise dealing with members based upon the false account records and information provided by Fiserv. 199. Fiserv?s acts, omissions, concealments, and misrepresentations violate broad social duties that are separate and distinct from, and collateral to, any speci?c executory contractual promises iserv Solutions made to Bessemer. The duties violated by Fiserv are in the nature of a tort because the relevant duties the duty to not make false acts, omissions, concealments, and misrepresentations) arose regardless of any contract between Fiserv Solutions and Bessemer, and Fiserv has violated such duties after Bessemer provided a notice of termination of the Master Agreement on April 11, 2018. Accordingly, the duties violated by Fiserv are de?ned by the social policies embodied in the law of torts. 200. By its acts, omissions, concealments, and misrepresentations, Fiserv constructively defrauded Bessemer. 201. As a direct and proximate result of Fiserv?s constructive fraud, Bessemer has suffered and will suffer damages and harm. Such damages and harm include payments made to Fiserv for services that were not properly performed, damage to Bessemer?s business, being placed at an imminent, immediate, and continuing increased risk of harm from utilizing inaccurate information and being victimized by identity theft and fraud, and time and effort needed to mitigate the adverse actual and potential impact of Fiserv?s acts, omissions, concealments, and misrepresentations, including providing increased security against and investigating fraudulent or inaccurate transactions, cancelling and reissuing payment cards, -52- imposing withdrawal and transactional limits on accounts, and losing interest revenue and fees due to reduced account usage. WHEREFORE, Bessemer respectfully requests that this Court: 202. 203. (ii) enter judgment in Bessemer?s favor for all damages allowed by law? including, without limitation, compensatory, consequential, incidental, reliance, restitutionary, delay, treble, and punitive?in amounts to be determined at trial and that exceed the amount Speci?ed in Rule 4301 for submission to a board of arbitrators; award Bessemer its attorneys? fees, its costs, and the maximum prejudgment and postjudgrnent interest allowed by law; issue an injunction to prevent Bessemer from suffering or continuing to suffer harm; and grant Bessemer any further relief that may be necessary to achieve justice or that is deemed proper and appropriate under the circumstances by this Court. Sixth Claim for Relief Negligent Misrepresentation Bessemer incorporates and realleges the preceding paragraphs. iserv assumed a duty to provide accurate information to Bessemer, and Fiserv had the means to determine the accuracy of the information it was providing to Bessemer. 204. As set forth in the preceding paragraphs incorporated herein by reference, on many occasions during the course of the parties? relationship and after Bessemer provided a notice of termination of the Master Agreement on April 11, 2018, Fiserv made false acts, omissions, concealments, and misrepresentations. -63? 205. Fiserv?s acts, omissions, concealments, and misrepresentations were false, were caused by Fiserv?s negligence, gross negligence, or recklessness, were material to Bessemer, and were justi?ably relied on by Bessemer. For example, Fiserv has made numerous misrepresentations about consumers? ?nancial account information, including the amounts consumers have on deposit with Bessemer, the amounts members owe Bessemer, the amounts Bessemer owes to members, and the existence and status of members? accounts. As a further example, Fiserv has made numerous misrepresentations about the capabilities and prices of its service offerings, the necessity for certain repairs or additional services, the amounts Bessemer owes iserv as re?ected on Fiserv?s invoices, and the security of member information while in Fiserv?s custody. 206. Fiserv?s acts, omissions, concealments, and misrepresentations violate broad social duties that are separate and distinct from, and collateral to, any speci?c executory contractual promises Fiserv Solutions made to Bessemer. The duties violated by Fiserv are in the nature of a tort because the relevant duties the duty to not make false acts, omissions, concealments, and misrepresentations) arose regardless of any contract between Fiserv Solutions and Bessemer, and Fiserv has violated such duties after Bessemer provided a notice of termination of the Master Agreement on April 11, 2018. Accordingly, the duties violated by Fiserv are de?ned by the social policies embodied in the law of torts. 207. By its acts, omissions, concealments, and misrepresentations, iserv made negligent misrepresentations to Bessemer. 208. Fiserv knew or should have known that its acts, omissions, concealments, and misrepresentations were material to Bessemer, and Bessemer did justi?ably rely on them. Indeed, as Fiserv acknowledges in its own Code of Conduct Business Ethics, ?Fiserv is -64- committed to maintaining fair, accurate and timely accounting and business records. This protects our legal interests; and helps us preserve the trust of our clients.? See (version in effect on August 22, 2018). As further explained by Fiserv, ?[t]he unique nature of our business requires that all Fiserv computer systems and networks operate with the availability, ef?ciency, reliability and integrity that are expected of systems that process ?nancial transactions and store ?nancial data. ?The company is ?rmly committed to operating and maintaining its technology assets in a manner that merits the trust and con?dence of the clients and consumers we serve.? Id. What?s more, as Fiserv explains, ?[b]ecause the principal market for our products and services is the regulated ?nancial services industry, the consequences of non-compliant offerings could seriously damage our reputation and ?nancial interests.? Id. Fiserv thus knew, in light of the unique nature of its business providing services to regulated ?nancial institutions, that a failure to supply full, fair, accurate, and timely information to a ?nancial institution such as Bessemer would not only undermine a client?s justi?able trust in Fiserv, but also cause serious damage and give rise to legal liability. 209. Bessemer has justi?ably relied on Fiserv?s acts, omissions, concealments, and misrepresentations to Bessemer?s detriment by, among other things, entering into transactions that provided Fiserv with additional and excessive pro?ts, paying Fiserv amounts that were not justly due to it or legally chargeable against Bessemer, and engaging in transactions with Bessemer?s members, refusing to engage in transactions with members (including withholding funds justly owing to members), or otherwise dealing with members based upon the false account records and information provided by Fiserv. -65- 210. Fiserv?s negligence has harmed Bessemer, including physical harm in the form of loss of and alterations to Bessemer?s account records and information. These records and information are stored in a tangible format in information technology systems or other media administered by Fiserv. Fiserv Solutions acknowledged that Bessemer?s records and information ?shall remain the property of [Bessemer]? (Master Agreement Further, such property is identi?able with, merged into, or of the kind customarily identi?ed with and merged into documents. Indeed, such records and information embody and represent, without limitation, the title to the shares Bessemer members own as well as debts and other obligations of Bessemer to its members. Such records and information thus embody, represent the title to, and are essential to protecting and enforcing property rights and other legally enforceable obligations. Moreover, such records and information were created and maintained as a result of Bessemer?s substantial investment of time, effort, and money. 211. As a direct and proximate result of iserv?s negligent misrepresentations, Bessemer has suffered and will continue to suffer damages and harm. Such damages and harm include payments made to Fiserv for services that were not properly performed, damage to Bessemer?s business, being placed at an imminent, immediate, and continuing increased risk of harm from utilizing inaccurate information and being victimized by identity theft and fraud, and time and effort needed to mitigate the adverse actual and potential impact of Fiserv?s acts, omissions, concealments, and misrepresentations, including providing increased security against and investigating fraudulent or inaccurate transactions, cancelling and reissuing payment cards, imposing withdrawal and transactional limits on accounts, and losing interest revenue and fees due to reduced account usage. WHEREFORE, Bessemer respectfully requests that this Court: -66? enter judgment in Bessemer?s favor for all damages allowed by law? including, without limitation, compensatory, consequential, incidental, reliance, restitutionary, delay, treble, and punitive?in amounts to be determined at trial and that exceed the amount speci?ed in Rule 4301 for submission to a board of arbitrators; (ii) award Bessemer its attorneys? fees, its costs, and the maximum prejudgrnent and postjudgment interest allowed by law; issue an injunction to prevent Bessemer from suffering or continuing to suffer harm; and (iv) grant Bessemer any further relief that may be necessary to achieve justice or that is deemed proper and appropriate under the circumstances by this Court. Seventh Claim for Relief Conversion/Misappropriation 212. Bessemer incorporates and realleges the preceding paragraphs. 213. Bessemer has a property interest in its account records and information. These records and information are stored in a tangible format in information technology systems or other media administered by Fiserv. Fiserv Solutions acknowledged that Bessemer?s records and information ?shall remain the property of [Bessemer]? (Master Agreement Further, such property is identi?able with, merged into, or of the kind customarily identified with and merged into documents. Indeed, such records and information embody and represent, without limitation, the title to the shares Bessemer members own as well as debts and other obligations of Bessemer to its members. Such records and information thus embody, represent the title to, and are essential to protecting and enforcing property rights and other legally enforceable -67- obligations. Moreover, such records and information were created and maintained as a result of Bessemer?s substantial investment of time, effort, and money. 214. Bessemer also has a property interest in funds deposited in members? share draft accounts or otherwise in the custody of Bessemer, as well as in funds that are due and owing to Bessemer and its members. Such funds are speci?cally identi?able and subject to an obligation to be treated in a particular manner. 215. Bessemer?s property interest in the foregoing assets arises from Bessemer?s ownership of such property. Alternatively, t0 the extent such property is owned by Bessemer?s members, those members have authorized Bessemer to possess such property. 216. As between Bessemer and Fiserv, Bessemer has superior possessory rights in this property. 217. Bessemer and its authorized members have demanded that Fiserv return and make available such property, or such demand was excused and rendered unreasonable by Fiserv?s acts and omissions. 218. Fiserv has converted and misappropriated this prOperty by refusing to return it, destroying it, compromising its integrity, misusing it, interfering with Bessemer?s use and possession of it, and otherwise dealing with it in a manner inconsistent with Bessemer?s superior possessory rights. Fiserv?s conversion and misappropriation of such property was done without Bessemer?s consent and without lawful justi?cation. 219. Fiserv?s misconduct has had the effect of allowing it to reap the bene?ts of unlawfully possessing such property by, among other things, insisting that Bessemer pay Fiserv for additional services and prohibiting Bessemer from performing such services on its own ?68- account or through iserv competitors while Fiserv holds Bessemer?s account records and information hostage. 220. iserv?s interference with Bessemer?s property rights has occurred on many occasions during the course of the parties? relationship and after Bessemer provided a notice of termination of the Master Agreement on April 11, 2018. 221. Fiserv?s interference with Bessemer?s property rights violates broad social duties that are separate and distinct from, and collateral to, any speci?c executory contractual promises Fiserv Solutions made to Bessemer. The duties violated by Fiserv are in the nature of a tort because the relevant duties the duties to respect Bessemer?s property rights) arose regardless of any contract between the parties, the Master Agreement speci?cally acknowledged that Bessemer?s account records and information ?shall remain the property of [Bessemer]? (Master Agreement and, in any event, Fiserv has violated such duties after Bessemer provided a notice of termination of the Master Agreement on April 11, 2018. Accordingly, the duties violated by Fiserv are de?ned by the social policies embodied in the law of torts. 222. As a direct and proximate result of Fiserv?s conversion and Bessemer has suffered and will continue to suffer damages and harm. WHEREFORE, Bessemer respectfully requests that this Court: enter judgment in Bessemer?s favor for all damages allowed by law? including, without limitation, compensatory, consequential, incidental, reliance, restitutionary, statutory, delay, treble, and punitive?in amounts to be determined at trial and that exceed the amount speci?ed in Rule 4301 for submission to a board of arbitrators; (ii) award Bessemer its attorneys? fees, its costs, and the maximum -69- prejudgment and postjudgment interest allowed by law; issue an injunction to prevent Bessemer from suffering or continuing to suffer harm; and (iv) grant Bessemer any further relief that may be necessary to achieve justice or that is deemed proper and appropriate under the circumstances by this Court. Eighth Claim for Relief Bailment 223. Bessemer incorporates and realleges the preceding paragraphs. 224. Bessemer has a property interest in its account records and information. These records and information are stored in a tangible format in information technology systems or other media administered by Fiserv. Fiserv Solutions acknowledged that Bessemer?s records and information ?shall remain the property of [Bessemer]? (Master Agreement Further, such property is identi?able with, merged into, or of the kind customarily identi?ed with and merged into documents. Indeed, such records and information embody and represent, without limitation, the title to the shares Bessemer members own as well as debts and other obligations of Bessemer to its members. Such records and information thus embody, represent the title to, and are essential to protecting and enforcing property rights and other legally enforceable obligations. Moreover, such records and information were created and maintained as a result of Bessemer?s substantial investment of time, effort, and money. 225. Bessemer?s property interest in the foregoing assets arises from Bessemer?s ownership of such property. Alternatively, to the extent such property is owned by Bessemer?s members, those members have authorized Bessemer to possess such property. -70- 226. Fiserv has accepted delivery of Bessemer?s account records and information and became a bailee of such propeity, thereby undertaking duties, independent of any contractual duty, to account for such property and to care for it. 227. As part of this bailment, it was understood that Fiserv would use such property for the limited purposes authorized by Bessemer and would return it as agreed or upon demand. 228. Bessemer and those authorized to receive its prOperty have demanded that Fiserv return such property, or such demand was excused and rendered unreasonable by Fiserv?s acts and omissions. 229. Fiserv breached its duty as a bailee by refusing to return Bessemer?s account records and information, destroying them, compromising their integrity, misusing them, interfering with them, and otherwise dealing with them in a manner inconsistent with Fiserv?s bailee duties and Bessemer?s superior possessory rights. 230. Fiserv?s breaches of its bailee duties occurred on many occasions during the course of the parties? relationship and after Bessemer provided a notice of termination of the Master Agreement on April 11, 2018. 231. Fiserv?s interference with Bessemer?s property rights violates broad social duties that are separate and distinct from, and collateral to, any speci?c executory contractual promises Fiserv Solutions made to Bessemer. The duties violated by Fiserv are in the nature of a bailment claim because the relevant duties the duties imposed on a bailee of another?s property) arose regardless of any contract between the parties, the Master Agreement speci?cally acknowledged that Bessemer?s account records and information ?shall remain the property of [Bessemer]? (Master Agreement and, in any event, Fiserv has violated such duties after Bessemer provided a notice of termination of the Master Agreement on April 11, 2018. -71- Accordingly, the duties violated by Fiserv are de?ned by the social policies governing the law of bailments. 232. As a direct and proximate result of iserv?s breach of its bailee duties, Bessemer has suffered and will continue to suffer damages and harm. WHEREFORE, Bessemer respectfully requests that this Court: enter judgment in Bessemer?s favor for all damages allowed by law?? including, without limitation, compensatory, consequential, incidental, reliance, restitutionary, delay, treble, and punitive?in amounts to be determined at trial and that exceed the amount speci?ed in Rule 4301 for submission to a board of arbitrators; (ii) award Bessemer its attorneys? fees, its costs, and the maximum prejudgment and postjudgrnent interest allowed by law; issue an injunction to prevent Bessemer from suffering or continuing to suffer harm; and (iv) grant Bessemer any further relief that may be necessary to achieve justice or that is deemed proper and appropriate under the circumstances by this Court. Ninth Claim for Relief Unjust Enrichment 233. Bessemer incorporates and realleges the preceding paragraphs. 234. Fiserv has induced Bessemer to make payments and to furnish its account records and information as a result of Fiserv?s unjust and unconscionable misconduct. As a result of this misconduct Fiserv has been, and will continue to be un'ustl enriched at Bessemer?s ex ense 3 3 3 -72- and under circumstances that would make it unjust and inequitable for iserv to retain Bessemer?s payments, and Bessemer?s account records and information. 235. Fiserv?s unjust enrichment violates broad social duties that are separate and distinct from, and collateral to, any speci?c executory contractual promises Fiserv Solutions made to Bessemer. The duties violated by Fiserv are in the nature of a claim for unjust enrichment because the relevant duties the duty to make restitution when unjustly enriched) arose regardless of any contract between the parties, and Fiserv violated such duties after Bessemer provided a notice of termination of the Master Agreement on April 1 1, 2018. Accordingly, the duties violated by Fiserv are de?ned by the social policies embodied in the principles of equity. 23 6. Accordingly, equity and good conscience require that Fiserv make restitution to Bessemer. WHEREF ORE, Bessemer respectfully requests that this Court: order Fiserv to make restitution to Bessemer, in amounts to be determined at trial and that exceed the amount speci?ed in Rule 4301 for submission to a board of arbitrators; (ii) award Bessemer its attorneys? fees, its costs, and the maximum prejudgment and postjudgment interest allowed by law; issue an injunction to prevent Bessemer from suffering or continuing to suffer harm; and (iv) grant Bessemer any further relief that may be necessary to achieve justice or that is deemed proper and appropriate under the circumstances by this Court. -73- Tenth Claim for Relief Punitive Damages 237. Bessemer incorporates and realleges the preceding paragraphs. 238. Fiserv?s acts, omissions, concealments, and misrepresentations as set forth herein were intentional, willful, wanton, malicious, reckless, oppressive, egregious, and outrageous, are torts or actionable as independent torts, jeopardize the public and are part of a pattern directed at the public generally, offend public policy, are based on evil and reprehensible motives, involve an extraordinarily disingenuous and dishonest failure to carry out Fiserv?s obligations, and involve a high degree of moral turpitude demonstrating such wanton dishonesty as to imply a criminal indifference to civil obligations. 239. Indeed, as Fiserv acknowledges in its own Code of Conduct Business Ethics, iserv is committed to maintaining full, fair, accurate and timely accounting and business records. This protects our legal interests; and helps us preserve the trust of our clients.? See 4b-b67b-45 (version in effect August 22, 2018). As further explained by Fiserv, ?[t]he unique nature of our business requires that all Fiserv computer systems and networks operate with the availability, ef?ciency, reliability and integrity that are expected of systems that process ?nancial transactions and store ?nancial data. The company is ?rmly committed to Operating and maintaining its technology assets in a manner that merits the trust and con?dence of the clients and consumers we serve.? Id. What?s more, as Fiserv explains, ?[b]ecause the principal market for our products and services is the regulated ?nancial services industry, the consequences of non-compliant offerings could seriously damage our reputation and ?nancial interests.? Id. Fiserv thus knew, in light of the unique nature of its business providing services to regulated ?nancial institutions, that its -74- acts, omissions, concealments, and misrepresentations would cause serious damage and give rise to legal liability. 240. Fiserv has engaged in and has knowledge of prior similar injury?causing incidents, including through complaints made by Bessemer, other Fiserv customers, and security researchers. 241. The parties were in a relationship of trust and con?dence in which Fiserv wielded superior knowledge, skill, expertise, and in?uence over Bessemer. Among other reasons, Fiserv controls Bessemer?s account records and information, Fiserv refused to return Bessemer?s records and information to it, Fiserv was in an exclusive relationship with Bessemer, Fiserv prohibited Bessemer from performing certain services on its own account or through other service providers, and iserv sought to induce the dependence and trust of Bessemer. 242. Fiserv has received ill-gotten gains from its acts, omissions, concealments, and misrepresentations by, among other things, causing Bessemer and Fiserv?s other customers to enter into transactions that provided Fiserv with additional and excessive pro?ts, and collecting amounts that were not justly due to it or legally chargeable against Bessemer and Fiserv?s other customers. 243. Fi'serv?s acts, omissions, concealments, and misrepresentations have harmed the public generally. Such harm has befallen Bessemer, a not-for-pro?t cooperative, as well as the thousands of individual consumers who are Bessemer members. Moreover, Fiserv provides Bessemer and its members a standardized account processing system that is shared with other Fiserv customers and that adopts standardized coding. Further, Fiserv has employed standardized policies and business practices. Accordingly, such harm has befallen other ?nancial institutions that are customers of Fiserv, as well as those institutions? own customers, -75- including individual consumers. These harms are part of a pattern of behavior Fiserv directs at the public generally. 244. Public policy supports an award of punitive damages, given that Bessemer is a not-for?pro?t consumer ?nancial institution, banking is an essential public service on which consumers must rely, and Fiserv targeted its business operations to regulated ?nancial institutions and the consumers they serve. 245. Accordingly, punitive damages are appropriate in addition to any compensatory damages for harm done to Bessemer. Such damages are necessary to deter iserv and others from committing similar incidents in the future, and the amount of such punitive damages awarded should be suf?cient to have a deterrent effect on Fiserv. WHEREFORE, Bessemer respectfully requests that this Court: award Bessemer punitive damages; (ii) award Bessemer its attorneys? fees, its costs, and the maximum prejudgment and postjudgment interest allowed by law; and grant Bessemer any further relief that may be necessary to achieve justice or that is deemed proper and appropriate under the circumstances by this Court. Jurv Trial Demand Bessemer requests a trial by jury of all issues so triable. [Continued on following page] -75- Demand for Relief WHEREFORE, Bessemer respectfully requests that this Court award Bessemer the relief requested above on its claims for relief or that is deemed proper and appropriate under the circumstances by this Court. Dated: April 25, 2019 irate/72,13 PIETRAGALLO GORDON ALFANO BOSICK RASPANTI, LLP .4: ,f'f m: awe. ?ed?am Ricliard J. Parksf/ PA ID #40477 7 West State Street, Suite 100 Sharon, PA 16146 Tel: (724) 981-1397 Fax: (724) 981-1398 Email: rjp@pietragallo.com Charles J. Nerko (admitted pro hac vice) Joel S. Forman (pro hac vice to be ?led) VEDDER PRICE RC. 1633 Broadway New York, NY 10019 Tel.: (212) 407-7700 Fax: (212) 407-7799 Email: cnerko@vedderprice.com jforman@vedderprice.com Attorneys for Plainti? Bessemer System Federal Credit Union -77- IN THE COURT OF COMMON PLEAS OF MERCER COUNTY, BESSEMER SYSTEM FEDERAL CREDIT UNION, a not-for-pro?t federal credit union, Plaintiff, CIVIL DIVISION -agamst- N0. 2018?01130 ISERV SOLUTIONS, LLC, a Wisconsin limited liability corporation f/k/a ISERV SOLUTIONS, INC, a Wisconsin corporation, and FISERV, INC., a Wisconsin corporation, Defendants. 1, Joy E. Peterson, as the duly authorized representative and agent for Bessemer System Federal Credit Union, having read the foregoing Complaint, aver that it is accurate and correct to the best of my personal knowledge, information and belief. This statement of veri?cation is made subject to the penalties of 18 PA. CONS. STAT. 4904 relating to unsworn falsi?cation to authorities, which provides that ifI knowingly make false statements, I may be subject to criminal penalties. BESSEMER SYSTEM FEDERAL CREDIT UNION a . (5- Dated: April 25, 2019 Deli -. . By: Jay E. Peterson Chief Executive Of?cer