The Federal Reserve has announced the implementation of a new initiative called the "FedLine Solutions Security and Resiliency Assurance Program." This program requires organizations who use FedLine services to (1) complete an assessment, (2) develop a remediation plan, and (3) submit proof of compliance with the security requirements to the Federal Reserve. In this article, we will discuss our answers to frequently asked questions about this new program.
What is FedLine?
FedLine is a suite of payment solutions, designed to facilitate electronic payments in an efficient, reliable, and secure manner. FedLine solutions include FedLine Direct, FedLine Command, FedLine Advantage, FedLine Web, and FedMail. To learn more about each of these solutions and the included services, see the FedLine Solutions page on the Federal Reserve website.
What is the FedLine Solutions Security and Resiliency Assurance Program?
To ensure security and reduce the risk of fraudulent payments, the Federal Reserve has developed a series of security requirements which must be implemented for institutions using FedLine Solutions. The requirements include things like PC controls, hardware controls, network controls, documentation and data, assurance, etc.
To ensure these requirements are being met, the Federal Reserve has developed the "FedLine Solutions Security and Resiliency Assurance Program." The program has three components:
- Assessment. Each organization must conduct a self-assessment to determine if the requirements are met. In addition, the Federal Reserve may require an independent assessment or review, based on a variety of factors (e.g., implemented solutions, use cases, organizational complexity, etc.).
- Remediation Plan. For any gaps highlighted in the assessment process, the organization must develop a plan of action to remediate the deficiencies.
- Attestation. An organization official or executive in charge of payments must sign an attestation form to confirm the organization understands the security requirements, has conducted the assessment, has a remediation plan, etc.
How can I complete the assessment and attestation?
While each organization will determine how to best conduct the assessment for their environment, here are some steps to help you through the process.
Step 1: Review Communications from the Federal Reserve
Attestation materials designed to guide you through the process were sent to your organization and were scheduled to arrive by January 1, 2021. If you have not received the materials, contact the FedLine Solutions Customer Contact Center.
Step 2: Gather the Required Documents
Download the following documents from the FedLine Solutions website.
- Operating Circular 5
- Certification Practice Statement: Federal Reserve Banks' Certification Authority
- Certification Practice Statement: Federal Reserve Banks' Services Public Key Infrastructure (PKI)
- Password Practice Statement
Depending on which FedLine Solutions your organization has implemented, you will also need to locate the Security and Controls Procedures documents for each solution. These documents are not publicly available. You have three options for locating them:
- Locate where your organization stored them during the solution implementation process.
- Download the FedLine Web and FedLine Advantage documents from the EUAC Center.
- Contact the FedLine Solutions Customer Contact Center to request a copy.
Step 3: Conduct the Assessment
Each document includes a list of requirements. To perform a self-assessment, review the requirements with applicable personnel (e.g., payments, technology, operations, etc.) and determine if each requirement is implemented. Make note of any items which are not in place.
If the Federal Reserve notifies you that you must have an "independent assessment," you may be able to do one of the following:
- Hire an independent third party to perform the assessment.
- Have an independent internal department perform the assessment (e.g., internal audit, compliance, etc.).
- Conduct a self-assessment and have it reviewed and substantiated by an independent party.
Step 4: Create a Remediation Plan
If any areas of noncompliance were noted during the assessment process, create a remediation plan to address the deficiencies. Escalate the issues to the responsible parties and develop a written plan-of-action to address the gaps.
Step 5: Submit the Attestation
You are not required to submit the self-assessment, but are required to submit an attestation. Instructions for submitting the attestation are included with the attestation materials you received from the Federal Reserve. When finished, save copies of the self-assessment, supporting documentation, and attestation documents for your records.
Step 6: Set a Schedule
The attestation process must be completed by December 31st of each year. Schedule a time to review the assessment, update any remediated areas, and recomplete the attestation before the deadline each year.
Will Tandem develop anything for this?
At Tandem, it is our goal to improve security while easing the burden of regulatory compliance, and we are honored to have so many financial institutions contacting us for assistance with completing this assessment.
The Tandem Compliance Management product includes a "FedLine Solutions Security and Resiliency Assurance Program" recurring requirement. This feature is designed to remind customers about completing the assessment and submitting the attestation each year. Additional information can be found in the Compliance Management Knowledge Base.
Regarding the development of a tool for completing the assessment, several of the required documents are confidential and the Federal Reserve has elected to not share them with the public. While we are not able to develop a tool without these documents, we will be watching to see if they become public and will continue to evaluate how we can best serve our clients.
Additional Resources
For additional information, see the following FedLine Solutions Security and Resiliency Assurance Program resources.