Assurance Program Frequently Asked Questions
Overview
In response to the evolving security threat landscape, the Federal Reserve Banks are implementing a Security and Resiliency Assurance Program (“Assurance Program”). As part of this new program, institutions and service providers that use the FedLine® Solutions must:
- Conduct an assessment of their compliance with the Federal Reserve Banks’ FedLine security requirements
- Submit an attestation that they have completed the assessment
The FAQs below have been created to help you organization become familiar with the program. If you have additional questions, please contact the Support Center.
Frequently Asked Questions
Attestation materials, process and timing
- When will my organization receive its attestation materials?
All End User Authorization Contacts (EUACs) should have received the attestation materials associated with their organization’s ABA or RSSD ID on or before March 31, 2022.
It may be helpful to identify a primary point of contact that will coordinate and facilitate the Assurance Program process.
To ensure the deliverability of future Assurance Program messages and materials, please:
- Add @adobesign.com to your organization’s safe senders list.
- Ensure that your organization’s EUAC contact information is current. Typically, an organization’s OAL (Official Authorization List) can identify a current list of EUACs. The Federal Reserve can only provide current EUACs to the Authorized Signers listed on the OAL, following appropriate due diligence.
If you are the primary point of contact for your organization and have not received your attestation materials, check with your organization’s EUAC. If you are the EUAC and have not received your materials, please contact the Assurance Program coordinators at sys.assurance.program@frb.org.
- What is an EUAC and can we have more than one?
An “EUAC” or “End User Authorized Contact” is your organization’s designated point of contact, for the Federal Reserve Banks Financial Services. EUAC's have many responsibilities, but one primary responsibility is to ensure that their organization is familiar and complies with the security procedures that are applicable to the FedLine® Solutions used by the organization. Yes, you may have more than one. For more information, please visit the EUAC Support Page.
- Can any EUAC request a list from the Federal Reserve of all EUACs for an ABA?
“Authorizing Officials” for your organization maintain knowledge of your organization’s EUACs. Federal Reserve Banks can only disclose the identity of an organization’s EUACs to an “Authorized contact” on your Official Authorization List.
- Why are we receiving the attestation materials so far in advance of the due date?
We want to provide customers with as much notice as possible to ensure a successful implementation. Additionally, in some cases an EUAC may need to coordinate self-assessments and attestations across multiple ABAs and FedLine Solutions. Also, in some cases an independent reviewer may be required to conduct the self-assessment, and we recognize that may take time to coordinate.
- What if I did not receive my Assurance Program materials?
Contact the Assurance Program coordinators at sys.assurance.program@frb.org as soon as possible and our team will send you the Assurance Program materials.
- What if my document link within my Assurance Program email has expired?
Follow the prompts to receive a new link. You will see a button to receive a new link under the expiration notice. Simply click that and a new Assurance Program email with a new link will be sent you.
- What is the deadline for submitting the attestation?
Your organization’s attestation is due by December 31 annually. You will receive periodic reminders throughout the year as the deadline approaches. There is no penalty for submitting the attestation early, and we strongly encourage you to do so. Going forward, the attestation will need to be completed once per calendar year (January – December).
- If we are unable to complete the attestation by the deadline of December 31, can we request an extension?
The Assurance Program is an ongoing program that requires an annual self-assessment and is completed each year upon an institution sending to the Reserve Banks an attestation indicating that the self-assessment was conducted. Due to the annual nature of the program, extensions are not appropriate; an attestation received within any one calendar year will be effective for that year.
- What happens if I fail to submit the attestation by the due date?
Failure to submit an attestation by the due date is a violation of Operating Circular 5 that could result in the Reserve Banks taking any of the actions set out in section 7.1 of Operating Circular 5. At their discretion, the Reserve Banks may take other actions including but not limited to disclosing the circumstances of noncompliance to your prudential regulator or other supervisory body, as well as executing limitations on user access and authentications, services, and reporting. For additional information, please refer to Operating Circular 5, Appendix A, Section 5.
- Do we submit one attestation per ABA or one attestation for each FedLine Solution that our organization uses?
Your organization will be expected to complete one attestation per ABA.
- Do all banks need to complete the attestation or is it based on the size of the Bank or Institution?
All institutions (each ABA and RSSD ID) utilizing a FedLine Solution, either directly or indirectly through a service provider or other agent, will need to complete an attestation.
- If the Federal Reserve Banks determine that the self-assessment for our organization requires an independent reviewer this year, does that mean we will need to conduct an independent assessment annually, in perpetuity?
The Federal Reserve Banks determine which organizations will be subject to a standard or independent assessment based on a variety of factors and criteria and these factors may change from time to time. Factors may include, but are not limited to: FedLine Solutions and specific products used, payment volumes and thresholds, and current threat and risk factors. If any of these factors change for your organization throughout the year, the need for an independent assessment may also change.
- What determines if an Independent Review is required?
The Federal Reserve Banks determine which organizations will be subject to a standard or independent assessment based on a variety of factors and criteria and these factors may change from time to time. Factors may include, but are not limited to: FedLine Solutions and specific products used, payment volumes and thresholds, and current threat and risk factors. These factors are reviewed and evaluated periodically and may change over time.
If your institution is designated to complete an independent assessment or review, you can find this information in black bold text in the body of the email you received with your Assurance Program materials:
“Your organization is requested to perform an independent assessment to ensure compliance with the Security Requirements as outlined in Appendix A of the FedLine Solutions Security and Resiliency Assurance Program Guide.”
Additionally, your organization’s attestation statement will include terms that your attesting official is asserting that an independent assessment was performed, where required.
- Who can sign the attestation?
The individual who signs your attestation should be a senior management official or executive officer in charge of electronic payments operations or payments security for your organization.
- Can the person signing the attestation be an EUAC?
The attestation must be signed by a senior management official or executive officer in charge of electronic payments operations or payments security for your organization. Whether that person is, or is not, an EUAC will depend on the circumstances of each organization.
- Does the person signing the attestation have to be on the Bank’s Official Signer List?
No, as long as the individual signing is a senior management official or executive officer in charge of electronic payments operations or payments security for your organization.
- Do institutions that connect to FedLine through a service provider need to attest?
Yes. Although the use of service providers is permitted, these arrangements do not transfer an organization’s obligations or responsibility to comply with required security measures and controls.
For organizations that connect to FedLine only through a service provider, that organization can look to its service provider to obtain information necessary to submit its attestation. Exactly what the organization needs from its service provider in order to submit that organization’s attestation is up to each organization, but for example could include such items as (i) obtaining a copy of the service provider’s attestation to the Federal Reserve Banks, or (ii) obtaining a separate confirmation or other information from the service provider indicating that the required self-assessment was completed. The organization might then elect to use that information to support its own attestation. Additional information can be found in the Security and Resiliency Assurance Program Guide, included in the Attestation Package you receive electronically.
- Can the self-assessment be completed by internal staff/auditors or does it need to be completed by a third party?
Your self-assessment may be completed by your internal staff; however, some organizations may be required to have an independent party conduct or review their self-assessment.
For organizations that have been notified an independent assessment is required (this information is found in the body of your Assurance Program email), the requirement of independence can be satisfied by having:
- An independent third party, such as an external audit firm or security consultant, perform the assessment.
- An independent internal department/function perform the assessment, such as an internal audit or compliance department (i.e., a function that is not in the reporting line of the senior executive in charge of payment services).
If the assessment was conducted by a non-independent party or function, an independent third party must review the work conducted in connection with the assessment to establish that it was designed and conducted in a manner reasonably sufficient to identify any material noncompliance with the Security Requirements.
- Is there a standard assessment template for all institutions to complete, or does each have to develop their own along the guidelines published?
Each institution is permitted to make its own determination of the methodology in which it conducts the self-assessment, provided of course that the self-assessment is sufficient to enable the institution to submit the attestation.
- Can the independent assessment be completed by our Internal Security Assessors or IT Risk Committee?
Maybe. When an independent assessment is required, an internal department/function can perform the assessment provided that such internal department/function is independent, such as an internal audit or compliance department (i.e., a function that is not in the reporting line of the senior executive in charge of payment services.
- Does this pertain to all FedLine Solutions?
Yes, this attestation will be required for FedLine Web®, FedLine Advantage®, FedLine Command®, and FedLine Direct® Solutions.
- What is the scope of the Assurance Program?
The Assurance Program applies to all institutions that utilize a FedLine Solution, either directly or indirectly through a service provider or other agent. These institutions are required to comply with the FedLine policies, procedures and security controls (“Security Requirements”) applicable to their particular electronic connection. The Assurance Program requires that these institutions:
- Conduct a self-assessment of their compliance with the Security Requirements. It is a point-in-time assessment, conducted annually.
- If required by the Federal Reserve Banks, ensure that the assessment is conducted or reviewed by an independent internal function or third party.
- Attest to the Federal Reserve Banks that the self-assessment was completed.
- To the extent any deficiencies or gaps were identified in the self-assessment, develop a remediation plan to address such deficiencies.
Some institutions may have elected to outsource some or all of their payment or electronic connection to a third-party service provider. Although the use of third-party service providers is permitted, these outsourcing arrangements do not transfer an institution’s obligations or responsibility for complying with required security measures and controls.
- How can we be certain we’ve completed all the necessary reviews before signing the attestation?
Your guide of relevant controls is in the applicable FedLine Solutions and Financial Services Security Control Procedures and Operating Circulars received by your EUACs. Please visit the Security and Resiliency Assurance Program Resource Center for additional information. If you have any questions, please contact the Support Center. In addition to contacting the Support Center with questions, please know that your relationship manager is also available to assist you. To find a list of Federal Reserve Bank contacts specific to your organization, use the Find Your Contacts tool.
- Are the controls the same for all of the FedLine Solutions, or is there a separate set of controls for FedLine Advantage vs FedLine Web, etc.?
The Security and Control Procedures for each FedLine Solution contain security controls that are relevant for the specific FedLine Solution. FedLine Security and Control Procedures are part of the FedLine documentation provided to your organization during the FedLine implementation process. These documents are available to your organization’s EUACs. Please refer to the Supporting Documentation section (Appendix B) of the Security and Resiliency Program Guide for additional detail. The link to the Program Guide can be found in the Assurance Program email package you received. Look for the following verbiage: “Please follow this link to review the kickoff materials including the Assurance Program Participant Expectations document, Program Guide and Attestation letter.”
- Will our IT Risk Assessment or ACH Risk Assessment suffice for this?
Individual, enterprise or unique solution-specific "risk assessments" may be supporting artifacts and resources leveraged when conducting the self-assessment or completing the attestation. The attestation process is described in the Security and Resiliency Assurance Program Guide.
- What is the frequency of the attestation?
Organizations will be required to conduct a self-assessment and complete a corresponding attestation on an annual basis (once each calendar year between January 1 and December 31).
- Will the person signing the attestation need to be a FedLine user or will the signature be outside of the FedLine System?
The individual executing the attestation does NOT have to be a FedLine user, nor have a FedLine credential. The individual should be a senior management official or executive officer in charge of electronic payments operations or payments security for your organization.
- Can our institution wait to delegate the email to the signer until a later time?
Yes, you can delegate at any time, provided the attestation must be completed before December 31 annually. You may conduct the security assessment and complete the attestation at any point during the calendar year that works best for your organization. Most organizations may align this process with their existing annual security and compliance audits.
- What is the requirement to address gaps identified during the self-assessment?
You should follow your existing remediation processes commensurate with the nature of the identified gap. Your organization is not required to submit the results or findings of your risk assessment, or any supporting documentation, or any remediation plans. The electronically signed attestation response is the only document that will be required to be submitted to the Federal Reserve Banks.
Note, however, that evidence of the assessment and any remediation activity should be maintained according to your organization’s record retention policy.
- Where can I locate the most current FedLine Security requirements?
The Security and Resiliency Program is based on the current FedLine security guides and requirements for FedLine Solutions. This documentation is available via your organization’s EUACs. Please refer to Appendix B of the FedLine Security and Resiliency Assurance Program Guide for additional information. The link to the Program Guide can be found in the Assurance Program email package you received. Look for the following verbiage: “Please follow this link to review the kickoff materials including the Assurance Program Participant Expectations document, Program Guide and Attestation letter.”
- What are the security requirements that I must use to conduct my self-assessment?
The Program requires that you conduct a self-assessment or your compliance with the Federal Reserve Banks’ policies, procedures and security controls associated with your FedLine electronic connection (“Security Requirements”). These Security Requirements are set forth in various documents, which are referenced in the FedLine Security and Resiliency Assurance Program Guide and are available via your organization’s EUACs for the FedLine Solution applicable to your organization.
- What if we only use Reporting Central, no payments, do we still need to attest?
Yes. Any institution connecting to the Federal Reserve Banks through a FedLine Solution will need to attest to having conducted a self-assessment of compliance with the security requirements.
- For companies using multiple FedLine Solutions, how many signers are required for the attestation?
There is no requirement for a particular number of signers or that signers be different for each FedLine Solution or electronic connection being used. The institution can determine if different signers are appropriate for different solutions for which they have responsibility.
- What if I need to delegate a different signer?
You can delegate to a different signer as needed.
- We have partners with access to FedLine Web. Would those partners and their controls need to be included in the assessment?
Yes.
Documentation questions:
- Does this program require a separate EUAC from those we already have?
No. Your current EUACs should be able to coordinate the requirements of the FedLine Solutions Security and Resiliency Assurance Program.
- Where can I find the Program Guide?
The link to the Program Guide can be found in the Assurance Program email package you received. Look for the following verbiage: “Please follow this link to review the kickoff materials including the Assurance Program Participant Expectations document, Program Guide and Attestation letter.”
If you are unable to locate the Assurance Program email, please contact your EUACs or the Assurance Program coordinators sys.assurance.program@frb.org.
- Does the link within the email expire to sign the attestation?
Yes, it expires on the deadline, December 31, of the year in which it was received.
- Are the security requirements for FedLine Solutions current?
Yes, the security requirements are kept current and updated regularly as needed. Notification is sent when the various requirements change and all changes are noted within the documentation. Please ensure the EUAC information on file for your organization is accurate so you receive all updated information in a timely manner.
- Can SOC I and II audits fulfill the requirements for FedLine Solutions Security and Resiliency Assurance Programs?
The detailed requirements and expectations of the Assurance Program are described in the Program Guide that was provided with the attestation package sent to your organization. There are no restrictions that prohibit an organization from fulfilling the requirements of the Assurance Program self-assessment (or expanding the scope) along with an existing or other compliance reviews. For the purposes of the Assurance Program, the FedLine Security Requirements must be sufficiently within the scope of the SOC review to enable an organization to in good faith complete the attestation. The Federal Reserve Banks do not weigh the results differently if they originate from a SOC or outside the SOC process.
- What if I signed the attestation in error or made a mistake on the attestation?
Please contact the Support Center, sys.assurance.program@frb.org or your Relationship Manager. We can delete any erroneous attestations and send a new Assurance Program package. To find a list of Federal Reserve Bank contacts specific to your organization, use the Find Your Contacts tool.
Resources
- Where can I find additional information about the Assurance Program?
Please visit the Security and Resiliency Assurance Program Resource Center. We will regularly update the Resource Center and FAQs with the latest information. If you have additional questions, please contact the Support Center. As a reminder, your relationship manager is also available to assist you. To find a list of Federal Reserve Bank contacts specific to your organization, use the Find Your Contacts tool.
- Will FedLine be providing a mapping or comparison to other regulatory attestations that participants are required to perform?
Several organizations and regulatory bodies may require some form of ongoing assurance (of compliance) or security attestation. The Federal Reserve Banks are not able to provide a comparison of our program and requirements to the various other assurance programs that may exist, or evolve over time.
- Is there any guidance regarding how you expect my organization to conduct the self-assessment?
Each organization may make its own determination of the methodology in which it conducts the self-assessment, provided of course that the self-assessment is sufficient to enable the organization to complete the attestation.
- Can you please provide the link to register for the Assurance Program webinars?
Webinars are hosted regularly and registration information, if available, as well as recordings, are posted on the Security and Resiliency Assurance Program Resource Center in the Webinar section.
- Is the Support Center available to answer our Assurance Program questions?
The Support Center is available and is ready to help answer your questions. You may also contact the Assurance Program team at sys.assurance.program@frb.org.