Booklet: FedLine® Section: Operational (Transaction) Risk Management

Previous Subsection Table of Contents Next Subsection

Action Summary

Financial institutions are responsible for developing the appropriate physical, administrative, logical, and procedural safeguards necessary to mitigate funds transfer operational (transaction) risk when using the FT application. At a minimum, institutions should consider implementing the suggested controls and safeguards described below. Although financial institutions may implement the suggested controls differently depending upon the nature of their activities, each institution should demonstrate an effective control environment. Appropriately defined and assigned FT and Local Administration (LA) application access levels support effective separation of duties. The institution should also implement, monitor, and test the effectiveness of the logical access controls as part of its information security program. Financial institutions should also develop, implement, and test business continuity plans appropriate for their level of funds transfer activity.

PHYSICAL SECURITY CONTROLS
The physical security controls described in this section focus on preventing unauthorized staff and customer access to the FedLine PC and printer. Financial institution management should periodically assess the overall physical security risks associated with the use of the FedLine PC and printer and determine the specific physical security risks present when using the FT application. The risk assessment should focus on the financial institu-tion’s funds transfer operation and include an analysis of any risks resulting from building and office configuration limitations. The assessment should also include an analysis of any risks associated with controlling physical access to FedLine software and other critical information.

ACCESS TO THE FEDLINE PC
Weak physical security controls could result in the unauthorized use of, or tampering with, the FedLine PC and printer, thereby jeopardizing the integrity of the PC platform, FedLine software, or funds transfer messages entered for transmission to the Federal Reserve. Failure to properly secure the financial institution’s wire room or the work area designated for the operation of the FedLine PC and printer could create vulnerabilities due to unauthorized staff or customer access.

Institution management should locate the FedLine PC and printer in a physically secured area that prevents access to unauthorized staff and customer access. Therefore, institutions should avoid operating the FedLine system from an area designated for customer transactions. Financial institutions should consider locating the FedLine PC and printer in a locked room with restricted and monitored access. Placing the PC in an open staff area during normal business hours may also be acceptable if the institution can demonstrate that appropriate monitoring is conducted and that the PC is properly secured (e.g., locked cabinet or PC enclosure) during non-business hours. Ultimately, financial institution management should establish a level of physical security appropriate to its operating environment.

ACCESS TO FEDLINE SOFTWARE AND OTHER CRITICAL INFORMATION
Unauthorized access to FedLine software and other critical information (e.g., encryption material, master local user ID and password, configuration diskette, PC power-on password, printer log) potentially compromises the availability and integrity of funds transfer operations. In the event of an equipment failure, power outage, or declared disaster, this risk may increase.

Management should secure these materials under lock and key, and restrict access to authorized staff on a need-to-know basis. Management should also ensure that complete backups of these materials are stored securely offsite. These materials include:

ADMINISTRATIVE CONTROLS
The administrative controls described in this section are primarily designed to ensure that the financial institution has appropriately assigned the role of LSA and back-up or alternate LSA. The LSA and back-up LSA perform critical roles in defining and maintaining an effective, efficient, and secure funds transfer operation. As such, assigned staff members should be trusted and not responsible for day-to-day payment and computer-related operations. The financial institution should also establish procedures for the periodic review of the FedLine printer log (Printer Recap Report), and is responsible for maintaining the FedLine PC at current release levels.

LOCAL SECURITY ADMINISTRATOR
The use of FedLine requires the financial institution to designate an LSA. The LSA, using the LA application, is responsible for establishing and maintaining application access levels for all financial institution users, including those assigned the FT application. The LSA is a privileged user who could bypass authorized access levels and security settings, resulting in the sending of unauthorized funds transfer messages.

Financial institutions should generally limit the number of employees with LSA access to two staff members, and periodically monitor their activities. In larger institutions, senior management should carefully evaluate and justify the existence of more than two staff members with LSA responsibilities.

As privileged FedLine users, the LSA and back-up or alternate LSA have the authority to bypass established funds transfer internal controls. Compensating controls, including prompt reconcilement and accounting procedures, timely FedLine printer log (Printer Recap Report) reviews, and distinct job descriptions that promote effective separation of duties, should be established to mitigate potentially fraudulent actions on the part of the LSA and back-up LSA. If the LSA or back-up LSA uses the FedLine PC, operations staff should be present to monitor their actions, where practical.

The LSA acts as the primary contact with the Federal Reserve Bank for FedLine software updates and host-communication and encryption-related activities. The LSA is primarily an administrative role. The LSA is responsible for adding new users, deleting old users, and changing authorized user access levels as their responsibilities change. The LSA, in order to perform these functions, is required to use the LA application, “Entry/Update” access level. Since this access gives a user privileged access to the FedLine application, institutions should only assign LA application access to the LSA and LSA back-up.

The LSA duties are inconsistent with any role in the daily operations of the FedLine application. To ensure the ability to restrict and monitor FedLine activity, any staff member assigned access to the LA application, which allows entry and update capabilities, should not have access to either the FT or Host Communications (HC) applications. Even with this restriction in place, an unauthorized funds transfer message could be created and transmitted if personnel with the LA application, “Entry/Update” access level, have unmonitored access to the FedLine PC and Federal Reserve Bank host computer access. It is essential that the financial institution carefully evaluate assigned access levels and monitor physical access to the FedLine PC. The designated LSA, back-up LSA, and any other staff assigned the LA application with “Entry/Update” access level should not have a role in the daily operation of any FedLine business applications, particularly the FT application.

FEDLINE PRINTER LOG
The financial institution should have the appropriate procedures for controlling and reviewing the FedLine printer log (Printer Recap Report), which automatically logs all FedLine activity to an attached dedicated printer. Failure to maintain and adhere to such procedures allows potentially unauthorized and fraudulent activity to occur undetected for extended business periods.

The printer log, designed for continuous feed paper, should not exhibit unexplained breaks, and should be reviewed periodically, and at each cycle/date rollover, by staff other than the LSA to confirm only authorized LSA and FT activity has taken place. The recommended retention period for the FedLine PC printer log is five (5) years. The log can serve as an invaluable resource for reviewing changes made to the FedLine environment.

FEDLINE PATCH MANAGEMENT
Failure to maintain the FedLine computer at current software release levels or to apply all patches and program changes issued by the Federal Reserve Banks potentially exposes the financial institution to processing errors due to noncompliance with program updates reflecting Federal Reserve and clearinghouse processing and format changes.

The LSA should establish the appropriate procedures to maintain the FedLine PC at current release levels, and to ensure the implementation of Federal Reserve-supplied patches and authorized program changes as required. The “Browse Patch Status” (refer to the “Examination Procedures”, Appendix A, Objective 2, Work Step 8) provides a history of all upgrades performed on the FedLine PC. In addition to ensuring the application of appropriate patches and maintenance upgrades, it is also important to ensure the back-up and implementation of all patches and upgrades to FedLine PCs used at any alternate processing sites.

LOGICAL ACCESS CONTROLS
The logical access controls described in this section focus on preventing inappropriately assigned access levels within the FT application to staff working in the wire room or funds transfer operation. Inappropriately assigned access levels provide the opportunity to transmit unauthorized funds transfer messages. This risk is greater if message verification is not appropriately set to ensure adequate separation of staff duties between those initiating and those responsible for verifying and sending funds transfer messages. Staff, whether or not assigned to the wire room, may also have inappropriately assigned access levels within the LA application that could allow them unauthorized access to the FT application. This control deficiency could enable the creation and transmission of unauthorized funds transfer messages.

Each staff member should only have one local user ID assigned. Staff with more than one local user ID could bypass established verification requirements by using the first ID to enter funds transfer messages and using the second ID to perform verification and transmission.

FEDLINE ACCESS LEVELS
Appropriately assigned FT and HC application access levels support effective separation of duties and should be designed to prevent the sending of unauthorized funds transfer messages. Access assigned to staff responsible for the financial institution’s wire room or funds transfer operation should be based on a “least privilege” basis, reinforcing the concept of only authorizing the level of access needed to perform a particular job function. The institution should require staff independent of the wire room or funds transfer operations to periodically review and evaluate the assigned FT access levels.

Staff assigned to the FT application are responsible for creating and updating funds transfer messages and normally require the “Entry/Update” access level. Staff responsible for transmitting authorized funds transfer messages normally require the “Verify/Transmit” access level. Some staff members will also require access to the HC application, and should be assigned the appropriate HC application “Entry/Update” or “Verify/Transmit” access levels depending upon their responsibilities. In addition, message verification should be set to ensure an adequate separation of duties between staff initiating funds transfer messages and those responsible for verifying and sending funds transfer messages.

Staff assigned the “Entry/Update” and “Verify/Transmit” access levels within the FT application should not also be assigned the FT “Supervisor” or “Managerial” access levels. The FT application “Supervisor” and “Managerial” access levels permit the user to bypass the verification requirement, and should only be activated by the LSA in response to unique processing situations. If activated, the LSA should monitor the actions performed by FT staff assigned these access levels and deactivate them when processing is complete. While the “Supervisor” access level is needed to perform required functions in other FedLine applications such as “Startup/Shutdown Control,” it is not normally needed for the FT application.

HOST COMPUTER ACCESS
Having “Entry/Update” and “Verify/Transmit” access to the HC application is not sufficient by itself to allow for the transmission of authorized funds transfer messages to the Federal Reserve Bank’s host computer. To transmit authorized FT messages the individual must also possess a valid Federal Reserve Bank host user code and password permitting the transmission of funds transfer messages to the host Fedwire funds transfer application. The LSA, working with the respective Federal Reserve Bank, is responsible for establishing staff host user codes and passwords. The LSA is also responsible for ensuring ongoing host access is needed, and host user codes no longer required are deactivated or deleted. The LSA should maintain an accurate “Host User Code” list defining active staff host user codes, and financial institution management should be able to certify the accuracy of the list if requested by examination staff on-site (refer to the “Examination Procedures”, Appendix A, Objective 2, Work Step 9).

FEDLINE ACCESS REPORTS
The “User-ID Status” and “User/Access” reports (refer to the “Examination Procedures”, Appendix A, Objective 2, Work Steps 4 and 5) should be used to verify the logical access controls granted to staff assigned to the wire room or funds transfer operation. Examiners should verify that staff members using FedLine on a daily basis do not have the LA application listed under their local user ID on the “User/Access” report. The “**” on the listing indicates access has been granted to all applications listed on the menu, except for the LA application. If a staff member has access to the LA application, it will be listed specifically on the “User/Access” report, and should be questioned as to the need for this level of access.

In addition, examiners should review the FedLine “Users Guide” that should be made available to examiners on-site for more detailed information on available reports and screen snapshots that will assist in verifying assigned access levels.

PROCEDURAL CONTROLS
The procedural controls described in this section focus on the financial institution policies and procedures used to process funds transfers. These procedures may not provide the appropriate level of control and supporting documentation for the movement of funds into or out of customer and institution accounts. Inadequate policies and procedures used to prepare funds transfer source documents, verify debit and credit transactions affecting customer and institution accounts, noncompliance with the Office of Foreign Asset Control (OFAC) verification procedures, and lack of independent funds transfer processing and balancing functions, create the potential for fraudulent funds transfer activity.

FUNDS TRANSFER POLICIES AND PROCEDURES
Financial institutions should have funds transfer policies and procedures addressing both the processing of funds transfer messages within the wire room and the related standards for creating and maintaining source documents for the movement of funds into and out of customer and institution accounts. Policies and procedures should include documentation describing all interfaces between the FedLine FT application and other backroom and customer-related banking processes, and should address the controls relating to crediting, debiting, and reconciling customer and institution account balances. Policies and procedures should also document institution specific compliance requirements to address federal and state regulations including OFAC verification procedures.

INFORMATION SECURITY PROGRAM
The financial institution’s information security program should include an effective risk assessment methodology supporting an evaluation of the risks relating to performing high-risk activities such as funds transfer and other payment-related activities. Risk assessments based on a periodic review of high-risk activities such as funds transfer should be used to develop effective standards for adequate separation of duties, physical security, and logical access controls based on the concept of “least privilege”.

INTERNAL AND EXTERNAL AUDIT
Periodic independent reviews of the funds transfer operation, including all pertinent internal policies and procedures, should be conducted by the financial institution’s internal auditors, or included as a part of the external audit. Financial institution audits should verify the effectiveness of the funds transfer control environment and identify funds transfer deficiencies for correction.

BUSINESS CONTINUITY PLANNING
The inability to restore funds transfer services in a timely manner can expose a financial institution to increased operational (transaction), liquidity, or credit risks resulting from the lack of system availability. Typically, funds transfer operations are critically important in managing the financial institution’s assets. Unscheduled system outages can reduce the institution’s ability to manage its operations effectively and could adversely affect the institution’s customers and counter-parties. Failure to prepare and test business continuity plans capable of restoring funds transfer service to levels commensurate with the financial institution’s business requirements can result in significant risk to the institution.

An institution’s business continuity plan should document the ability to restore wire transfer operations and quickly recover any potentially lost funds transfer transactions in the event of a system outage. In most emergencies, the institution can initiate off-line funds transfer message transactions by contacting the local Federal Reserve Bank office via telephone. Generally, this contingency arrangement is sufficient if the institution does not generate large funds transfer message volumes. If a disaster or other type of emergency is declared, and the off-line funds transfer procedure is invoked, authorized funds transfer operations staff will require access to specific encryption code words needed to complete the off-line funds transfer process.

For financial institutions generating larger funds transfer volumes, back-up FedLine PCs should be included at the institution’s back-up business and information processing facility, and tested periodically to ensure connectivity with the Federal Reserve.

The institution should also have business continuity plans in place for equipment failure (e.g., encryption device, modem, or PC failure). These plans should include establishing an inventory of spare encryption boards, modems, and other hardware components. The institution can also contact its Federal Reserve Bank to arrange for next-day shipment of replacement hardware and software components.

Business continuity plans should include creating a back-up copy of the current FedLine configuration diskette. The back-up diskette should be stored in a secure off-site location along with the encryption material, PC power-on password, and master ID. Additionally, the institution should periodically make a static file back-up of the FedLine applications (“Back-Up Static Files” function in the “Miscellaneous Support” application) that includes customized financial institution-specific information (e.g., frequent ABA numbers, user IDs, and recurring funds transfer-related information).

Previous Subsection Table of Contents Next Subsection           Home IT Booklets Glossary Resources Presentations