Skip to main content

Assurance Program Frequently Asked Questions

Overview

In response to the evolving security threat landscape, the Federal Reserve Banks are implementing a Security and Resiliency Assurance Program (“Assurance Program”). As part of this new program, institutions and service providers that use the FedLine® Solutions must:

  • Conduct an assessment of their compliance with the Federal Reserve Banks’ FedLine security requirements
  • Submit an attestation that they have completed the assessment

The FAQs below have been created to help you organization become familiar with the program. If you have additional questions, please contact the Customer Contact Center (CCC) at (888) 333-7010.

Frequently Asked Questions

Attestation materials, process and timing

  1. When will my organization receive its attestation materials?

    Service Provider organizations have already received their attestation materials. Remaining organizations are scheduled to receive their attestation materials in January 2021. Materials will be sent via email to all End User Authorization Contacts (EUACs) listed for each ABA or RSSDID. However, your organization will need to identify a primary EUAC who will coordinate the assessment and attestation on behalf of your organization. In advance of the January distribution, please ensure that your organization’s EUAC contact information is current. Typically, an organization’s OAL can identify a current list of EUACs. When contacting us, we can only provide current EUACs to the OAL(s), following appropriate due diligence.

  2. Why are we receiving the attestation materials so far in advance of the due date?

    While the security requirements are not new, the attestation process is and we want to provide customers with as much notice as possible to ensure a successful implementation. Additionally, in some cases an End User Authorization Contact may need to coordinate attestations across multiple ABAs and FedLine Solutions. Also, in some cases an independent reviewer may be required to conduct the self-assessment, and we recognize that may take time to coordinate.

  3. Can the attestation packets be provided earlier than January 1, 2021?

    Yes. However, most organizations will not receive the attestation materials until January 2021. The signed attestation is due on December 31, 2021. To learn more about the attestation process, we encourage you to register for an upcoming webinar (Off-site).

  4. What is the deadline for submitting the attestation?

    Your organization’s attestation is due by December 31, 2021. You will receive periodic reminders throughout the year as the deadline approaches. There is no penalty for submitting the attestation early, and we strongly encourage you to do so. Going forward, the attestation will need to be completed once per calendar year (January – December).

  5. What happens if I fail to submit the attestation by the due date?

    Notify the Customer Contact Center at (888) 333-7010 as soon as possible, in any case where you organization may require a possible extension. Request for extensions will be reviewed on a case-by-case basis, depending on circumstances. Your account executive is also available to assist you. To find a list of Federal Reserve Bank contacts specific to your organization, use the Find Your Contacts tool.

  6. Do we submit one attestation per ABA or one attestation for each FedLine Solution that our organization uses?

    Your organization will be expected to complete one attestation per ABA.

  7. Do all banks need to complete the attestation or is it based on the size of the Bank or Institution?

    Yes, all institutions (each ABA and RSSID) utilizing FedLine Solutions will need to complete an Attestation.

  8. If the Federal Reserve Banks determine that the self-assessment for our organization requires an independent reviewer this year, does that mean we will need to conduct an independent assessment annually, in perpetuity?

    The Federal Reserve Banks determine which organizations are subject to a standard or independent assessment based on a variety of factors, such as: FedLine Solutions used, specific products and services, business use cases and the type of organization represented. If any of these factors change for your organization throughout the year, the need for an independent assessment may also change.

  9. What determines if an Independent Review is required?

    The Federal Reserve Banks determine which organizations are subject to a standard or independent assessment based on a variety of factors, such as: FedLine Solutions used, specific products and services, business use cases and the type of organization represented

  10. Who can sign the attestation?

    The individual who signs your attestation should be an official or executive officer in charge of electronic payments operations or payments security for your organization.

  11. Does the person signing the attestation have to be on the Bank’s Official Signer List?

    No, as long as the individual signing is an official or executive officer in charge of electronic payments operations or payments security for your organization.

  12. Do institutions that connect to FedLine through a service provider need to attest?

    Yes. While Service Providers are required to provide their own attestation to the Federal Reserve Banks, your organization is still responsible for completing its own attestation.

    For organizations that connect to FedLine only through a service provider, that organization can look to its service provider to obtain information necessary to submit its attestation. Exactly what the organization needs from its service provider in order to submit that organization’s attestation is up to each organization, but for example could include such items as (i) obtaining a copy of the service provider’s attestation to the Federal Reserve Banks, or (ii) obtaining a separate confirmation or other information from the service provider indicating that the required self-assessment was completed. The organization might then elect to use that information to support its own attestation. Additional information can be found in Item 4 in the Security and Resiliency Assurance Program Guide, included in the Attestation Package you receive electronically.

  13. Can the self-assessment be completed by internal staff/auditors or does it need to be completed by a third party?

    Your self-assessment may be completed by your internal staff; however, some organizations may be required to have an independent party conduct or review their self-assessment.

    For organizations that must use an independent party to conduct the self-assessment, the requirement of independence can be satisfied by having:

    • An independent third party, such as an external audit firm or security consultant, perform the assessment.
    • An independent internal department/function perform the assessment, such as an internal audit or compliance department (i.e., a function that is not in the reporting line of the senior executive in charge of payment services).
    • If the assessment was conducted by a non-independent party or function, an independent third party must review the work conducted in connection with the assessment to establish that it was designed and conducted in a manner reasonably sufficient to identify any material noncompliance with the Security Requirements.
  14. Is there a standard assessment template for all institutions to complete, or does each have to develop their own along the guidelines published?

    Each institution is permitted to make its own determination of the methodology in which it conducts the self-assessment, provided of course that the self-assessment is sufficient to enable the institution to submit the attestation.

  15. Does this pertain to all FedLine Solutions?

    Yes, this attestation will be required for FedLine Web, FedLine Advantage, FedLine Command, and FedLine Direct Solutions.

  16. Are the controls the same for all of the FedLine Solutions, or is there a separate set of controls for FedLine Advantage vs FedLine Web, etc.?

    The Federal Reserve Banks develop and provide implementation, security controls and operating guidance for each FedLine Solution. Typically, the guidance and specific security control recommendations are unique to the solution. An EUAC is a designated and primary contact between your organization and the Federal Reserve Banks. An EUAC from your organization can access the security and control procedures, via the EUAC support page, for the FedLine Solution applicable to your organization.

  17. Will our IT Risk Assessment or ACH Risk Assessment suffice for this?

    Individual, enterprise or unique solution-specific "risk assessments" may be supporting artifacts and resources leveraged when conducting the self-assessment or completing the attestation. The attestation process is described in the Security and Resiliency Assurance Program Guide.

  18. What is the frequency of the attestation?

    Going forward, we anticipate that organizations will be required to conduct a self-assessment and complete a corresponding attestation on an annual basis (once each calendar year between January 1 and December 31).

  19. Will the person signing the attestation need to be a FedLine user or will the signature be outside of the FedLine System?

    The person executing the attestation does NOT have to be a FedLine user. The individual should be a senior management official or executive officer in charge of electronic payments operations or payments security for your organization.

  20. When is the first attestation due?

    December 31, 2021.

  21. Where can I locate the most current FedLine Security requirements?

    The Security and Resiliency Program is based on the current FedLine security requirements for FedLine Solutions. This documentation is available via your organization’s EUACs.

  22. What are the security requirements that I must use to conduct my self-assessment?

    The Program requires that you conduct a self-assessment or your compliance with the Federal Reserve Banks’ policies, procedures and security controls associated with your FedLine electronic connection (“Security Requirements”). These Security Requirements are set forth in various documents, which are referenced in the FedLine Security and Resiliency Assurance Program Guide, and are available via your organization’s End User Authorization Contacts (EUACs).

  23. What if we only use Central Reporting, no payments, do we still need to attest?

    Yes. Any institution connecting to the Federal Reserve to use of any of our FedLine products will need to attest to having conducted a self-assessment of compliance with the security requirements.

Documentation questions:

  1. Does this program require a separate EUAC from those we already have?

    No. Your current EUACs should be able to coordinate the requirements of the FedLine Solutions Security and Resiliency Assurance Program.

  2. Are the security requirements for FedLine Solutions current?

    Yes, the security requirements are kept current and updated annually. Notification is sent when the various requirements are updated. Please ensure the EUAC information on file for your organization is accurate so you receive all updated information in a timely manner.

  3. Can SOC I and II audits fulfill the requirements for FedLine Solutions Security and Resiliency Assurance Programs?

    The detailed requirements and expectations of the Assurance Program are described in the Program Guide that will be provided with the attestation package sent to your organization. There are no restrictions that prohibit an organization from fulfilling the requirements the Assurance Program self-assessment (or expanding the scope) along with an existing or other compliance review. For the purposes of the Assurance Program, the FedLine Security Requirements must be sufficiently within the scope of the SOC review to enable an organization to in good faith complete the attestation. The Federal Reserve Banks do not weigh the results differently if they originate from a SOC or outside the SOC process.

Resources

  1. Where can I find additional information about the Assurance Program?

    We will regularly update this page with the latest information. If you have additional questions, please contact the Customer Contact Center at (888) 333-7010. As a reminder, your account executive is also available to assist you. To find a list of Federal Reserve Bank contacts specific to your organization, use the Find Your Contacts tool.

  2. Will FedLine be providing a mapping or comparison to other regulatory attestations that participants are required to perform?

    Several organizations and regulatory bodies may require some form of ongoing assurance (of compliance) or security attestation The Federal Reserve Banks are not able to provide a comparison of our program and requirements to the various other assurance programs that may exist, or evolve over time.

  3. Is there any guidance regarding how you expect my organization to conduct the self-assessment?

    Each organization may make its own determination of the methodology in which it conducts the self-assessment, provided of course that the self-assessment is sufficient to enable the organization to complete the attestation.

  4. Can you please provide the link to register for the SRAP webinars?
  5. Is the Customer Contact Center (CCC) available to answer our SRAP questions now or do we need to wait until we receive our Attestation Packets in January 2021?

    The CCC is available and able to answer your questions now.

Top of Page