Nsight Blog | Ncontracts

6 Steps for Complying with the FedLine Solutions Security

Written by Monica Bolin, CERP, Manager, Enterprise Risk Management | Dec 15, 2021 12:00:00 PM

Everyone is worried about the increase of cyber threats and attacks on payment networks—including the Federal Reserve.  That’s why the Fed created The FedLine Solutions Security and Resiliency Assurance Program, and institutions using FedLine Solutions must complete the program by December 31, 2021 

What are the requirements of the Fedline Solutions Security and Resiliency Assurance Program? 

The Fed requires all organizations to take all reasonable measures necessary to prevent fraud, unauthorized access, other unauthorized use or disruption to the operations of any FedLine solution. The program requires that organizations conduct an annual self-assessment of their compliance with the security requirements, attest that the self-assessment was completed, and address any deficiencies noted during the process. 

Who is required to complete the Fedline Solutions Security and Resiliency Assurance Program?

The Fed requires all organizations that access electronic payment solutions including:

    • FedACH Services
    • Fedwire Services
    • FedCash Services

6 Steps to comply with the program

With the deadline just a few weeks away, here are the steps your institution needs to take to ensure compliance with the program.

1. Identify the primary End User Authorization Contact (EUAC) at your institution who will coordinate the program, including the assessment and submission of the attestation.

2. Identify the senior management officer who will electronically attest that the assessment is complete. The officer should be responsible for electronic payments operations or payments security in your organization.

3. Complete the risk/self-assessment. The assessment should be completed by individual(s) with demonstrated experience in cybersecurity and auditing of payment systems. The Security and Control Procedures for each FedLine Solution contain security controls that are relevant for the specific FedLine Solution and should be addressed within the assessment.

Some institutions will be notified if an independent assessment is required. If you must submit the independent assessment, the assessment should be completed by either:

    • An independent third party, such as an external audit firm or security consultant
      or
    • An independent internal department, such as internal audit or compliance department (must be a function that is not in the reporting line of the senior executive in charge of payment services)
However, if the assessment is conducted by a non-independent party, an independent third party must review the work conducted in connection with the assessment to establish that it was designed and conducted in a manner reasonably sufficient to identify any material noncompliance with the security requirements.

Read also: 4 Key Risks Facing the Banking Industry, According to the OCC

The attestation will require details about which of the above approaches were used, including the name and contact information of the assessor, and the date the review/assessment was completed.

However, if the assessment is conducted by a non-independent party, an independent third party must review the work conducted in connection with the assessment to establish that it was designed and conducted in a manner reasonably sufficient to identify any material noncompliance with the security requirements.

The attestation will require details about which of the above approaches were used, including the name and contact information of the assessor, and the date the review/assessment was completed.

4. The Senior officer submits the attestation after the assessment is completed. This also serves as his/her electronic signature. The assessment itself is NOT submitted to the Fed.

5. Develop and document a remediation plan if any deficiencies or gaps were identified in the assessment. This should include action plans and timelines.

6. Retain the assessment, plus any supporting documentation, analysis and testing, in accordance with your institution’s record retention policy. It may also be used by internal/external auditors or regulatory agencies.

Reminder: The first attestations must be completed and submitted by December 31, 2021.

Related: Managing Risks Like An Astronaut

Bonus tip for completing FedLine assessments

Don’t know where to start with your risk/self-assessment? Ncontracts has many risk assessment templates built into Nrisk, including a FedLine assessment that can be used for this program. The assessment includes the risks and the expected controls.

Building off the template, you can then:

      1. Review the controls
      2. Modify as needed to be appropriate for your institution
      3. Ensure that those controls are in place
      4. Determine the effectiveness of those controls.

Ncontracts risk assessments provide a baseline inherent risk level for reach risk, though it should be reviewed to ensure it’s in line with your institution’s approach to operational risk.

Ncontracts also has an audit program for FedLine built into Nverify, which provides additional direction for your internal audit team. 

Read also: 3 Tips for Avoiding an Equifax-Style Breach

Don’t miss this important compliance deadline! Learn more about Nrisk can help.

Related: What is Business Continuity Management?