In response to the evolving security threat landscape, the Federal Reserve Banks implemented a Security and Resiliency Assurance Program (Assurance Program). The goal of the Assurance Program is to reduce the risk of systemic breakdown and fraudulent payments being sent through the payments system. If your institution uses FedLine Advantage or FedLine Web, you are now required to complete an annual attestation that you meet the Federal Reserve’s security standards. Depending on what solution(s) you use, there could be over 50 controls that you will need to attest for compliance.
As part of this new program, institutions that utilize the FedLine Solutions must assess their compliance with the Federal Reserve Banks’ FedLine security requirements and submit an attestation that they have completed the assessment. Your organization has the 2021 calendar year (January–December 2021) to complete the program. Going forward, all service providers and financial institutions are expected to complete the program on an annual basis.
The Assurance Program requirements are outlined in the Federal Reserve Operating Circular No. 5. Each institution and, if applicable, any service provider, shall at least annually conduct a self-assessment of its compliance with the security requirements (Self-Assessment). The Self-Assessment may be calibrated based on an institution’s analysis of the risks it faces. However, the Federal Reserve Banks may in their discretion require that the Self-Assessment be conducted or reviewed by an independent third party, an internal audit function, or an internal compliance function.
The attestation sought by the Federal Reserve Banks will generally include the following:
- An acknowledgement of the institution’s responsibility to adhere to the security requirements, and a confirmation that the institution has conducted a Self-Assessment within the time period requested by the Federal Reserve Banks;
- If applicable, a confirmation that the Self-Assessment was either (i) conducted by an independent third party, (ii) conducted by an independent internal function, such as internal audit or compliance, or (iii) to the extent the Self-Assessment was conducted by a non-independent party or function, an independent third party reviewed the work conducted in connection with the Self-Assessment to establish that it was designed and conducted in a manner reasonably sufficient to identify any material noncompliance with the security requirements;
- If applicable, an acknowledgement that the institution is responsible for its service provider’s compliance with the security requirements;
- A statement that the institution has remediation plans in place, including procedures to escalate concerns to the appropriate leaders within the institution, to promptly address any areas of noncompliance with the security requirements; and
- An acknowledgement that the institution must immediately notify the Federal Reserve Banks of any suspected or confirmed fraud, infringement, or security breach relating to any electronic connection.
The FedLine Advantage Security and Control Procedures and FedLine Web Security and Control Procedures collectively outline the controls that need to be assessed to comply with the Assurance Program. Institutions can access these documents via the EUAC Center in FedLine Home.
In response to the Assurance Program, S.R. Snodgrass’s Technology Services Group has developed audit procedures to perform an independent assessment of the control requirements, with an accompanying report that will include any recommendations for controls not meeting the specified requirements.
- If your institution is already scheduled for a 2021 general computer controls audit from S.R. Snodgrass, we will discuss how we can help you meet these new requirements during our planning phase.
- If your institution has not engaged our firm for IT audit services, we would be pleased to meet with you to talk about how we can assist you. Please contact Jeremy Burris, Principal, at jburris@srsnodgrass.com or 814-574-8627.
For additional information on the Assurance Program, visit https://www.frbservices.org/resources/fedline-solutions/faq/fedline-assurance-program.html.