What are the specifics on non-compliance for a US Financial Institution (CU) that has a website using shared hosting, and apache HTTP authentication.

Take for example, a US Credit Union that has a web site/application with extremely poor security.

The example website is hosted on a large shared host, with hundreds and hundreds of employees from technical support to outsourced system administrators, that would have access to the website files/code base.

In addition to this, customer names, information, and apparently account numbers are stored in clear text files in a serve-able location in the document root, and secured only with a single .htaccess file restricting access by user/password.

I know that one or both of these issues must cause the CU to be non-compliant in some standard, however, I can't pin down some exact sections and wording.

I believe FFIEC is probably where I will find it, but I haven't been able to locate the relevant pieces.

This question has some useful links as well.

I can't find much that's relevant in ISO27001 or NIST. And I'm fairly certain that PCI-DSS doesn't cover it either, since most shared hosts can be PCI compliant.