Get Ready for Fedline Solutions Security and Resiliency Assurance Program Requirements


Organizations using FedLine Solutions must attest their compliance by December 2021

With security threats continuing to evolve in the financial services sector, the Federal Reserve Banks have implemented a new Security and Resiliency Assurance Program, and affected organizations will need to take action before year-end to comply with the new requirements.

The purpose of the Fed assurance program is to “help reduce the risk of systemic breakdown and fraudulent payments being sent through the payments system,” and as the Federal Reserve Banks stated, organizations that use FedLine® Solutions payment and information services “play a vital role in safeguarding the payment messages and information that are transmitted over FedLine.”

Accordingly, all organizations that use the Federal Reserve Banks’ FedLine Solutions will be required to comply with the Fed assurance program requirements and attest such compliance by December 31, 2021.

Lack of compliance with the Fed assurance program requirements may lead to Fedline Solutions service restrictions, suspension or termination. Therefore, organizations should not wait until December to evaluate the requirements and/or conduct an assessment. Conducting an assessment earlier in the year will also provide the organization more time to address any gaps identified.

Organizations may benefit from engaging a third-party to assist with meeting these requirements (and in some cases, using an independent third-party may even be mandatory).

Fed assurance program requirements

The Federal Reserve Banks emailed organization’s End User Authorization Contacts (EUACs) earlier this year with the attestation materials, including compliance requirements. Organizations with multiple ABA routing numbers will be required to submit an attestation for each ABA.

The Fed assurance program requires all organizations that use FedLine Solutions to:

  • Conduct an assessment of their compliance with the Federal Reserve Banks’ FedLine Solutions security requirements as provided within the materials emailed to the EUACs
  • Submit an attestation by December 31, 2021, stating that the organization has completed the assessment

Going forward, the assessment and attestation will need to be completed on an annual basis. While there is no penalty for submitting the attestation early, organizations should confirm they are attesting to the latest requirements. Security requirements will vary depending on the Fedline Solutions product the organization uses. Security control requirements can be accessed by an EUAC on the EUAC support page within the Fedline Solutions product.

Additionally, the materials emailed from the Federal Reserve Banks will also advise EUACs if their organization is required to complete a standard assessment or an independent assessment. The Federal Reserve Banks will make the determination based on a variety of factors, including, but not limited to, the size of the organization, the Fedline Solutions product(s) utilized, and/or the complexity of the organization. Many organizations will be able to complete a standard assessment and therefore have their internal staff complete their self-assessment.

Organizations that are not required to use a third-party may still benefit from engaging outside professionals to assist them with meeting the Fed assurance program requirements. An independent party can help an organization’s compliance team save time, bring a fresh perspective, and share best practices based on their expertise and experience assisting other organizations with meeting the requirements and industry best practices.

Independent assessment

For organizations that must use an independent third-party to conduct the assessment or to review the organization’s self-assessment, the independence requirement may be satisfied any of the following ways:

  • An independent third party, such as an external audit firm or security consultant, performs the assessment
  • An independent internal department/function, such as an internal audit or compliance department, performs the assessment
  • If the assessment was conducted by a non-independent party or function, an independent third-party must review the work conducted in connection with the assessment to establish that it was designed and conducted in a manner reasonably sufficient to identify any material noncompliance with the security requirements

Additional considerations

In addition to the annual self-assessment attestation, the Federal Reserve Banks may require one or more supplemental assessments and attestations within any 12-month period if it suspects “an electronic connection may be subject to compromise, attack, unauthorized use, or other circumstance that would render the electronic connection vulnerable to misconduct.” Each organization must maintain records of the self-assessment, attestation and any supporting documentation.

The Federal Reserve Banks will send periodic reminders throughout the year as the deadline approaches. To learn more about the Security and Resiliency Assurance Program, see the list of Frequently Asked Questions on the Federal Reserve website or refer to Federal Reserve Operating Circular No. 5 (OC5), which outlines the Requirements of the Fed Assurance Program.

Kaufman Rossin’s Risk Advisory Services team can assist clients with completing their self-assessment or conduct an independent assessment, as well as supplementary services that can help an organization mitigate risks and/or comply with the Fed assurance program requirements. Contact our team to learn more.

Nathalie Feria, CAMS, CISA, is a Risk Advisory Services Manager at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.

Leave a Reply

Your email address will not be published. Required fields are marked *

We respect your personal information. Please review our Privacy Policy for more details.