Everyone is worried about the increase of cyber threats and attacks on payment networks—including the Federal Reserve. That’s why the Fed created The FedLine Solutions Security and Resiliency Assurance Program, and institutions using FedLine Solutions must complete the program by December 31, 2021.
What are the requirements of the Fedline Solutions Security and Resiliency Assurance Program?
The Fed requires all organizations to take all reasonable measures necessary to prevent fraud, unauthorized access, other unauthorized use or disruption to the operations of any FedLine solution. The program requires that organizations conduct an annual self-assessment of their compliance with the security requirements, attest that the self-assessment was completed, and address any deficiencies noted during the process.
Who is required to complete the Fedline Solutions Security and Resiliency Assurance Program?
The Fed requires all organizations that access electronic payment solutions including:
-
- FedACH Services
- Fedwire Services
- FedCash Services
6 Steps to comply with the program
With the deadline just a few weeks away, here are the steps your institution needs to take to ensure compliance with the program.
1. Identify the primary End User Authorization Contact (EUAC) at your institution who will coordinate the program, including the assessment and submission of the attestation.
2. Identify the senior management officer who will electronically attest that the assessment is complete. The officer should be responsible for electronic payments operations or payments security in your organization.
3. Complete the risk/self-assessment. The assessment should be completed by individual(s) with demonstrated experience in cybersecurity and auditing of payment systems. The Security and Control Procedures for each FedLine Solution contain security controls that are relevant for the specific FedLine Solution and should be addressed within the assessment.
Some institutions will be notified if an independent assessment is required. If you must submit the independent assessment, the assessment should be completed by either:
-
- An independent third party, such as an external audit firm or security consultant
or - An independent internal department, such as internal audit or compliance department (must be a function that is not in the reporting line of the senior executive in charge of payment services)
- An independent third party, such as an external audit firm or security consultant
Read also: 4 Key Risks Facing the Banking Industry, According to the OCC
The attestation will require details about which of the above approaches were used, including the name and contact information of the assessor, and the date the review/assessment was completed.
However, if the assessment is conducted by a non-independent party, an independent third party must review the work conducted in connection with the assessment to establish that it was designed and conducted in a manner reasonably sufficient to identify any material noncompliance with the security requirements.
The attestation will require details about which of the above approaches were used, including the name and contact information of the assessor, and the date the review/assessment was completed.
4. The Senior officer submits the attestation after the assessment is completed. This also serves as his/her electronic signature. The assessment itself is NOT submitted to the Fed.
5. Develop and document a remediation plan if any deficiencies or gaps were identified in the assessment. This should include action plans and timelines.
6. Retain the assessment, plus any supporting documentation, analysis and testing, in accordance with your institution’s record retention policy. It may also be used by internal/external auditors or regulatory agencies.
Reminder: The first attestations must be completed and submitted by December 31, 2021.
Related: Managing Risks Like An Astronaut
Bonus tip for completing FedLine assessments
Don’t know where to start with your risk/self-assessment? Ncontracts has many risk assessment templates built into Nrisk, including a FedLine assessment that can be used for this program. The assessment includes the risks and the expected controls.
Building off the template, you can then:
-
-
- Review the controls
- Modify as needed to be appropriate for your institution
- Ensure that those controls are in place
- Determine the effectiveness of those controls.
-
Ncontracts risk assessments provide a baseline inherent risk level for reach risk, though it should be reviewed to ensure it’s in line with your institution’s approach to operational risk.
Ncontracts also has an audit program for FedLine built into Nverify, which provides additional direction for your internal audit team.
Read also: 3 Tips for Avoiding an Equifax-Style Breach
Don’t miss this important compliance deadline! Learn more about Nrisk can help.
Related: What is Business Continuity Management?
Subscribe to the Nsight Blog
Share this
Risk Management 101: Risk Assessments for Financial Institutions
Creating Reliable Risk Assessments: How to Measure Compliance Risk
