In October 2020, the Federal Reserve Bank announced a new Security and Resiliency Assurance Program that’s applicable to all organizations using a FedLine Solutions product. End User Authorization Contacts (EUACs) for each client organization were sent attestation materials in January 2021. Organizations are required to attest by December 31, 2021 and on an annual basis thereafter.
The Assurance Program was developed in response to an evolving security threat landscape. It was created to increase client organization security postures and reduce the risk of control breakdown or fraudulent payments being sent through FedLine systems.
The Federal Reserve Bank will indicate whether each organization is subject to a standard assessment or independent assessment in the information provided to your EUAC’s. There are three options for independent review:
- By an independent third party
- By an independent internal department such as an internal audit function
- Assessment conducted by a non-independent party and reviewed by one of the two independent options mentioned above
The Assurance Program Guide details supporting documentation that each client organization should review. Organizations should ensure Security Control Procedures specific to each FedLine Solutions product are reviewed.
Areas of review may include but may not be limited to:
- Assurance Controls
- Certification Practice Statement
- Documentation and Data Controls
- Information Security Program
- Network Controls
- Operational Controls
- PC and Operating System Controls
- Subscriber Obligations
One assessment is required per ABA number. Once completed, organizations must prove they’ve performed (or had someone perform) the evaluation for them. Client organizations aren’t required to submit results of the assessment. However, they’re responsible for maintaining these results along with a remediation plan to address any deficiencies identified in the assessment.
Connecting Through a Service Provider
If an organization connects to a FedLine Solutions product through a service provider, they’re responsible for that service provider’s compliance with the security policies. This doesn’t transfer the organization’s responsibility for compliance. Organizations should work with their service providers to obtain information regarding the service provider’s attestation to support their own attestation.
The Federal Reserve Bank’s Assurance Program will help strengthen security controls surrounding an organization’s FedLine Solutions environment. Evaluate the requirements for your organization’s attestation to the Assurance Program, and enlist the services of a qualified firm to help perform this assessment if necessary.