In October 2020, the Federal Reserve announced the Security and Resiliency Assurance Program for FedLine Solutions. FedLine Solutions are a suite of applications that allow banks to perform electronic transfers such as ACH and wires and other functions such as ordering cash from the Fed. The purpose of the Security and Resiliency Assurance Program (Program) is to ensure the security of the FedLine Solutions system and reduce the risk of fraudulent transactions being sent through the system.
The Program requires institutions that utilize FedLine to complete the following by the end of 2021:
Conduct an assessment of their compliance with FedLine security requirements published by the Federal Reserve for each FedLine application.
Submit an attestation that they have completed the assessment to the Federal Reserve
The assessment portion of the Program must be completed by all institutions that use a FedLine Solutions product, no matter which products are used. The scope of the controls to be assessed will differ by product, though the Federal Reserve publishes different security controls and guidance for each application. For example, Institutions using FedLine for reporting will have a different set of controls to assess than those that are using wire and ACH applications. The security requirements for each application are accessible to the designated end user authorization contact (EUAC) for each institution on the EUAC support webpage.
The assessment itself can be conducted as either a self-assessment or an independent review by a third party. The Federal Reserve will determine if an institution needs to complete an independent review on a case-by-case basis using a variety of factors such as institution size and complexity and products used. Institutions that are allowed to complete self-assessments can utilize internal staff, while those requiring an independent review must use either a third-party audit/security consultant such as Schneider Downs to complete the assessment. Alternatively, an independent internal function such as an internal audit can complete most of the assessment but an independent third party must review the work conducted by internal staff to complete the assessment.
Once the self-assessment or independent review has been completed, a signed attestation must be submitted to the Federal Reserve, stating that the institution has completed the appropriate assessment. The first attestation must be submitted by December 31, 2021 and completed annually, thereafter. The individual signing the attestation should be an executive in charge of payment solutions or the primary group(s) using FedLine at the institution but does not need to be a user or EUAC themself. There is no exemption to this requirement.
To prepare for the assessment, institutions should do the following:
Make sure your institution’s EUAC contact information is up to date.
Review the security requirements for the FedLine Solutions utilized by your institution and develop a plan to complete the assessment.
Consult with an audit firm like Schneider Downs to assist with developing a self-assessment or independent review.
If you have any questions related to this requirement or would like to learn more about our Risk Advisory Financial Services team and related offerings, please contact us at [email protected]