In response to the evolving security threat landscape, the Federal Reserve Banks are implementing a Security and Resiliency Assurance Program (“Assurance Program”). As part of this new program, institutions and service providers that use the FedLine® Solutions must:
The FAQs below have been created to help you organization become familiar with the program. If you have additional questions, please contact the Customer Contact Center (CCC) at (888) 333-7010.
Service Provider organizations have already received their attestation materials. Remaining organizations are scheduled to receive their attestation materials in January 2021. Materials will be sent via email to all End User Authorization Contacts (EUACs) listed for each ABA or RSSDID. However, your organization will need to identify a primary EUAC who will coordinate the assessment and attestation on behalf of your organization. In advance of the January distribution, please ensure that your organization’s EUAC contact information is current. Typically, an organization’s OAL can identify a current list of EUACs. When contacting us, we can only provide current EUACs to the OAL(s), following appropriate due diligence.
While the security requirements are not new, the attestation process is and we want to provide customers with as much notice as possible to ensure a successful implementation. Additionally, in some cases an End User Authorization Contact may need to coordinate attestations across multiple ABAs and FedLine Solutions. Also, in some cases an independent reviewer may be required to conduct the self-assessment, and we recognize that may take time to coordinate.
Yes. However, most organizations will not receive the attestation materials until January 2021. The signed attestation is due on December 31, 2021. To learn more about the attestation process, we encourage you to register for an upcoming webinar (Off-site).
Your organization’s attestation is due by December 31, 2021. You will receive periodic reminders throughout the year as the deadline approaches. There is no penalty for submitting the attestation early, and we strongly encourage you to do so. Going forward, the attestation will need to be completed once per calendar year (January – December).
Notify the Customer Contact Center at (888) 333-7010 as soon as possible, in any case where you organization may require a possible extension. Request for extensions will be reviewed on a case-by-case basis, depending on circumstances. Your account executive is also available to assist you. To find a list of Federal Reserve Bank contacts specific to your organization, use the Find Your Contacts tool.
Your organization will be expected to complete one attestation per ABA.
Yes, all institutions (each ABA and RSSID) utilizing FedLine Solutions will need to complete an Attestation.
The Federal Reserve Banks determine which organizations are subject to a standard or independent assessment based on a variety of factors, such as: FedLine Solutions used, specific products and services, business use cases and the type of organization represented. If any of these factors change for your organization throughout the year, the need for an independent assessment may also change.
The Federal Reserve Banks determine which organizations are subject to a standard or independent assessment based on a variety of factors, such as: FedLine Solutions used, specific products and services, business use cases and the type of organization represented
The individual who signs your attestation should be an official or executive officer in charge of electronic payments operations or payments security for your organization.
No, as long as the individual signing is an official or executive officer in charge of electronic payments operations or payments security for your organization.
Yes. While Service Providers are required to provide their own attestation to the Federal Reserve Banks, your organization is still responsible for completing its own attestation.
For organizations that connect to FedLine only through a service provider, that organization can look to its service provider to obtain information necessary to submit its attestation. Exactly what the organization needs from its service provider in order to submit that organization’s attestation is up to each organization, but for example could include such items as (i) obtaining a copy of the service provider’s attestation to the Federal Reserve Banks, or (ii) obtaining a separate confirmation or other information from the service provider indicating that the required self-assessment was completed. The organization might then elect to use that information to support its own attestation. Additional information can be found in Item 4 in the Security and Resiliency Assurance Program Guide, included in the Attestation Package you receive electronically.
Your self-assessment may be completed by your internal staff; however, some organizations may be required to have an independent party conduct or review their self-assessment.
For organizations that must use an independent party to conduct the self-assessment, the requirement of independence can be satisfied by having:
Each institution is permitted to make its own determination of the methodology in which it conducts the self-assessment, provided of course that the self-assessment is sufficient to enable the institution to submit the attestation.
Yes, this attestation will be required for FedLine Web, FedLine Advantage, FedLine Command, and FedLine Direct Solutions.
The Federal Reserve Banks develop and provide implementation, security controls and operating guidance for each FedLine Solution. Typically, the guidance and specific security control recommendations are unique to the solution. An EUAC is a designated and primary contact between your organization and the Federal Reserve Banks. An EUAC from your organization can access the security and control procedures, via the EUAC support page, for the FedLine Solution applicable to your organization.
Individual, enterprise or unique solution-specific "risk assessments" may be supporting artifacts and resources leveraged when conducting the self-assessment or completing the attestation. The attestation process is described in the Security and Resiliency Assurance Program Guide.
Going forward, we anticipate that organizations will be required to conduct a self-assessment and complete a corresponding attestation on an annual basis (once each calendar year between January 1 and December 31).
The person executing the attestation does NOT have to be a FedLine user. The individual should be a senior management official or executive officer in charge of electronic payments operations or payments security for your organization.
December 31, 2021.
The Security and Resiliency Program is based on the current FedLine security requirements for FedLine Solutions. This documentation is available via your organization’s EUACs.
The Program requires that you conduct a self-assessment or your compliance with the Federal Reserve Banks’ policies, procedures and security controls associated with your FedLine electronic connection (“Security Requirements”). These Security Requirements are set forth in various documents, which are referenced in the FedLine Security and Resiliency Assurance Program Guide, and are available via your organization’s End User Authorization Contacts (EUACs).
Yes. Any institution connecting to the Federal Reserve to use of any of our FedLine products will need to attest to having conducted a self-assessment of compliance with the security requirements.
No. Your current EUACs should be able to coordinate the requirements of the FedLine Solutions Security and Resiliency Assurance Program.
Yes, the security requirements are kept current and updated annually. Notification is sent when the various requirements are updated. Please ensure the EUAC information on file for your organization is accurate so you receive all updated information in a timely manner.
The detailed requirements and expectations of the Assurance Program are described in the Program Guide that will be provided with the attestation package sent to your organization. There are no restrictions that prohibit an organization from fulfilling the requirements the Assurance Program self-assessment (or expanding the scope) along with an existing or other compliance review. For the purposes of the Assurance Program, the FedLine Security Requirements must be sufficiently within the scope of the SOC review to enable an organization to in good faith complete the attestation. The Federal Reserve Banks do not weigh the results differently if they originate from a SOC or outside the SOC process.
We will regularly update this page with the latest information. If you have additional questions, please contact the Customer Contact Center at (888) 333-7010. As a reminder, your account executive is also available to assist you. To find a list of Federal Reserve Bank contacts specific to your organization, use the Find Your Contacts tool.
Several organizations and regulatory bodies may require some form of ongoing assurance (of compliance) or security attestation The Federal Reserve Banks are not able to provide a comparison of our program and requirements to the various other assurance programs that may exist, or evolve over time.
Each organization may make its own determination of the methodology in which it conducts the self-assessment, provided of course that the self-assessment is sufficient to enable the organization to complete the attestation.
The CCC is available and able to answer your questions now.