In October 2020, the Federal Reserve Bank announced a new Security and Resiliency Assurance Program thatโs applicable to all organizations using a FedLine Solutions product. End User Authorization Contacts (EUACs)ย for each client organization were sent attestation materials in January 2021. Organizations are required to attest by December 31, 2021 and on an annual basis thereafter.
Program Purpose
The Assurance Program was developed in response to an evolving security threat landscape. It was created to increase client organization security postures and reduce the risk of control breakdown or fraudulent payments being sent through FedLine systems.
Attestation Requirements
The Federal Reserve Bank will indicate whether each organization is subject to a standard assessment or independent assessment in the information provided to your EUACโs. There are three options for independent review:
- By an independent third party
- By an independent internal department such as an internal audit function
- Assessment conducted by a non-independent party and reviewed by one of the two independent options mentioned above
The Assurance Program Guide details supporting documentation that each client organization should review. Organizations should ensure Security Control Procedures specific to each FedLine Solutions product are reviewed.
Areas of review may include but may not be limited to:
- Assurance Controls
- Certification Practice Statement
- Documentation and Data Controls
- Information Security Program
- Network Controls
- Operational Controls
- PC and Operating System Controls
- Subscriber Obligations
One assessment is required per ABA number. Once completed, organizations must prove theyโve performed (or had someone perform) the evaluation for them. Client organizations arenโt required to submit results of the assessment. However, theyโre responsible for maintaining these results along with a remediation plan to address any deficiencies identified in the assessment.
Connecting Through a Service Provider
If an organization connects to a FedLine Solutions product through a service provider, theyโre responsible for that service providerโs compliance with the security policies. This doesnโt transfer the organizationโs responsibility for compliance. Organizations should work with their service providers to obtain information regarding the service providerโs attestation to support their own attestation.
Conclusion
The Federal Reserve Bankโs Assurance Program will help strengthen security controls surrounding an organizationโs FedLine Solutions environment. Evaluate the requirements for your organizationโs attestation to the Assurance Program, and enlist the services of a qualified firm to help perform this assessment if necessary.
