Oct 19, 2022

Get Help With Your FedLine Self-Assessment

By Anir Desai

The Federal Reserve Banks created the FedLine Solutions Security and Resiliency Assurance Program to help protect payment and other sensitive information used in their systems. In this blog post, we’ll describe the annual Self-Assessment and Attestation processes required for this program and how Tevora can partner with you to streamline your path to successful completion of these processes.

What Are FedLine Solutions?

FedLine Solutions provide Federal Reserve Banks and other organizations with access to Federal Reserve payment and information services (e.g., payments clearing, exchange of payment information, electronic messaging).

What is the FedLine Solutions Security and Resiliency Assurance Program?

The FedLine Solutions Security and Resiliency Assurance Program (Assurance Program) requires organizations with access to FedLine Solutions to conduct Self-Assessments to confirm compliance with relevant FedLine Security Requirements. The program is intended to help guard against unauthorized access to information used in FedLine Solutions.

Organizations must submit an Attestation each year confirming that they have completed the Self-Assessment. Senior management from your organization is required to participate in the security review process to encourage holistic risk management practices and risk-based decision-making.

What are the Benefits of the FedLine Assurance Program?

The FedLine Assurance Program offers the following benefits to the Federal Reserve Banks and users of FedLine Services:

  • Reinforces the safety, security, resiliency, and trust of the Federal Reserve Banks’ services for all financial institutions and service providers.
  • Reduces the risk of fraudulent transactions and promotes executive-level awareness of any gaps or control deficiencies within an organization.
  • Enhances an organization’s risk management and resiliency focus to help ensure endpoint environments are secure.
  • Increases confidence that critical controls are in place and being monitored to protect payment systems and customer information.
  • Enhances an organization’s vigilance against cyber-attacks while fostering discussions and planning to develop timely remediation plans for identified key risks or deficiencies.
  • Strengthens an organization’s defenses against growing and highly sophisticated attacks targeting payment systems and payment providers.

What are the FedLine Security Requirements?

The FedLine Assurance Program is risk-based and rooted in industry best practices, federal standards (including NIST), and supervisory guidance (including FFIEC guidance). The security controls you will be required to comply with vary depending on the specific FedLine Solutions being used. Documentation on the controls applicable to your organization will be provided via an Assurance Program email that is sent in January of each year.

What Steps Are Involved in the FedLine Assurance Program?

Organizations that use FedLine Solutions must perform the following steps to complete the Assurance Program each year:

  1. Assessment. Conduct a Self-Assessment to evaluate your organization’s compliance with FedLine Security Requirements. The assessment should include documentation of any gaps in the organization’s compliance.

You may be required to have the Self-Assessment conducted or reviewed by an independent function or third party. If required, this will be indicated in the annual Assessment Program email you receive in January of each year.

  1. Remediation. Developand implement a remediation plan to address identified compliance gaps. After remediation is complete, conduct a follow-up assessment focused on the identified gaps to confirm that all areas are now in compliance with FedLine Security Requirements.
  2. Attestation. Write and send an Attestation Letter to the Federal Reserve Banks indicating that you have completed your Self-Assessment. Instructions for doing so will be included in your January Assessment Program email. Your Attestation Letter must be signed by a senior management official or executive officer responsible for electronic payments operations or payments security.

What Are the Criteria for Determining if an Independent Assessment or Review is Required?

The Federal Reserve Banks will determine which organizations are subject to a standard vs. independent review based on multiple factors, which may change from time to time.  These factors may include FedLine Solutions or products used, payment volumes or thresholds, and current threat or risk factors.

If your organization is required to conduct an independent assessment or review, this will be indicated with bold text in your annual Assessment Program email.

What is the Deadline for Submitting FedLine Assurance Program Attestation Materials?

FedLine Solutions users will receive an email in January each year with instructions for completing the Self-Assessment and Attestation along with supporting reference materials. Attestations are due by December 31st of each year.

What Should We Do to Prepare for the FedLine Self-Assessment?

There are a few things you should do to ensure you are ready to hit the ground running with your annual FedLine Self-Assessment.

Prepare to Receive the Annual Assurance Program Email

The Federal Reserve Banks use an electronic signature solution offered by Adobe Sign. Instructions on the workflow for completing your Self-Assessment and Attestation will be included in your annual Assurance Program email, which will be sent from an email address using the Adobe Sign domain (@adobesign.com). Be sure that this domain is added to your organization’s safe senders list so that you are ready to receive the Assurance Program email in January.

You are required to designate at least two employees to be End User Authorized Contacts (EUAC) for your organization. Your annual Assurance program email will be sent to these contacts. Instructions for onboarding or changing EUACs are provided on the FedLine EUAC Support Page.

Identify Roles and Responsibilities

Identify the people or organizations that will have primary responsibility for activities required to complete your Self-Assessment and Attestation, including:

  • A primary EUAC to coordinate the Self-Assessment and Attestation process.
  • Senior management official that will electronically sign the Attestation Letter.
  • If required, the person(s) or organization from an independent in-house function or third party that will conduct or review your Self-Assessment. (note: Tevora would be happy to perform this role as a third party.)

Coordinate with Compliance or Internal Audit Departments

Communicate with your organization’s Compliance or Internal Audit departments to determine how your Self-Assessment and Attestation processes should align with broader compliance or audit efforts.

Your Trusted Partner

Tevora’s FedLine team has deep knowledge of and experience with the FedLine Assessment Program, and we can be a trusted partner to help you complete your Self-Assessment and Attestation. We know that many organizations lack the staff, expertise, or time available to conduct assessments like this, and we are happy to help you perform as much or as little of the work as needed to ensure streamlined execution and successful attestation.

Here are some of the ways we can help:

  • Answer questions about the FedLine Security Requirements and how they apply to your organization.
  • Conduct the entire Self-Assessment process or portions of the assessment where you need extra help.
  • Make recommendations for remediation work needed to address identified compliance gaps.
  • Conduct remediation work.

We will work hand-in-hand with your team to develop customized recommendations and solutions that meet the specific needs of your organization. This sets us apart from many of our competitors that offer cookie-cutter solutions to problems that require a more nuanced approach.

Additional Resources

Here are additional resources that provide a deeper dive into the topics covered in this blog post:

Tevora Can Help

If you have questions about the FedLine Assurance Program or would like help implementing it in your organization, just give us a call at (833) 292-1609 or email us at sales@tevora.com.

[1] Much of the content in this blog post is derived from this resource center.

About the Author

Anir Desai is Manager, Strategic Solutions

Discover in-depth resources

Datasheet
ERM Program Development

Webinar
ISO, HITRUST, NIST-Determining Your Best Security Framework