FedLine Solution Security and Resiliency Assurance Program Overview

Financial Services, IT Risk Advisory, Risk Advisory/Internal Audit
by Timothy Wolfgang
share with a colleague Download PDF

In October 2020, the Federal Reserve announced the Security and Resiliency Assurance Program for FedLine Solutions. FedLine Solutions are a suite of applications that allow banks to perform electronic transfers such as ACH and wires and other functions such as ordering cash from the Fed. The purpose of the Security and Resiliency Assurance Program (Program) is to ensure the security of the FedLine Solutions system and reduce the risk of fraudulent transactions being sent through the system. 

The Program requires institutions that utilize FedLine to complete the following by the end of 2021:

Conduct an assessment of their compliance with FedLine security requirements published by the Federal Reserve for each FedLine application.
Submit an attestation that they have completed the assessment to the Federal Reserve

The assessment portion of the Program must be completed by all institutions that use a FedLine Solutions product, no matter which products are used. The scope of the controls to be assessed will differ by product, though the Federal Reserve publishes different security controls and guidance for each application.  For example, Institutions using FedLine for reporting will have a different set of controls to assess than those that are using wire and ACH applications. The security requirements for each application are accessible to the designated end user authorization contact (EUAC) for each institution on the EUAC support webpage.     

The assessment itself can be conducted as either a self-assessment or an independent review by a third party. The Federal Reserve will determine if an institution needs to complete an independent review on a case-by-case basis using a variety of factors such as institution size and complexity and products used. Institutions that are allowed to complete self-assessments can utilize internal staff, while those requiring an independent review must use either a third-party audit/security consultant such as Schneider Downs to complete the assessment.  Alternatively, an independent internal function such as an internal audit can complete most of the assessment but an independent third party must review the work conducted by internal staff to complete the assessment.  

Once the self-assessment or independent review has been completed, a signed attestation must be submitted to the Federal Reserve, stating that the institution has completed the appropriate assessment.  The first attestation must be submitted by December 31, 2021 and completed annually, thereafter. The individual signing the attestation should be an executive in charge of payment solutions or the primary group(s) using FedLine at the institution but does not need to be a user or EUAC themself. There is no exemption to this requirement.  

To prepare for the assessment, institutions should do the following:

Make sure your institution’s EUAC contact information is up to date.
Review the security requirements for the FedLine Solutions utilized by your institution and develop a plan to complete the assessment.
Consult with an audit firm like Schneider Downs to assist with developing a self-assessment or independent review.

 

If you have any questions related to this requirement or would like to learn more about our Risk Advisory Financial Services team and related offerings, please contact us at [email protected]

 

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2024 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
Cybersecurity, IT Risk Advisory, Risk Advisory/Internal Audit BY Nathan Shepler
8 Key Considerations When Reviewing User Access
read more >
Financial Services, Risk Advisory/Internal Audit BY Marcy King
Enhancing Focus on Risk Management and Consumer Protection
read more >
Financial Services, Fraud/Investigative & Forensic Accounting, Risk Advisory/Internal Audit BY Tyler Caven
Controlling Wire Fraud in the Financial Industry
read more >
Risk Advisory/Internal Audit BY Brendan Leech
The Top Risks Internal Audit Leaders Need to Know for 2024
read more >
IT Risk Advisory, Risk Advisory/Internal Audit, SOC 2 BY Nicholas DeLuca
SOC 2 Terminology: Vendor vs Subservice Organization vs Subcontractor vs Third Party vs Nth Party
read more >
IT Risk Advisory, Risk Advisory/Internal Audit BY Michael Sinkevich
Did Poor Change Management Contribute to the AT&T Wireless and McDonald’s Outages?
read more >
Register to receive our weekly newsletter with our most recent columns and insights.
subscribe for updates
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us
Pittsburgh
Columbus
Metropolitan Washington
Image of Prime Global Logo
follow us client portal

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.

×
Accept