Booklet: FedLine® Section: Appendix A: Examination Procedures

Previous Subsection Table of Contents Next Subsection

The FedLine “Examination Procedures” are used to determine the adequacy and effectiveness of the logical, physical, administrative, and procedural controls, as well as business continuity planning, over the institution’s implementation of FedLine and use of the FT application. The procedures evaluate the effectiveness of the financial institution’s FedLine funds transfer internal controls environment and the related risk management processes.

The analysis for determining the examination procedures and testing to be performed should be based on the examiner’s assessment of the risks and risk management practices relating to the financial institution’s use of the FedLine FT to support its funds transfer activity, including transaction volume, and individual transaction dollar amounts. This assessment should include consideration of formal policies and procedures established to provide funds transfer services, as well as an assessment of the effectiveness of the financial institution’s underlying internal control environment including information security and business continuity.

A financial institution is exposed to significant operational (transaction), credit, and liquidity risks when processing funds transfers on behalf of its internal activities and in providing this service to its customers. Depending on the complexity of the funds transfer activity, the financial risks, operational (transactional) risks, and compliance risks may require an integrated team approach that includes the knowledge and skills of safety and soundness examiners, IT examiners, and compliance specialists. Refer to the IT Handbook’s “Information Security Booklet” and “Business Continuity Planning Booklet” for additional information regarding examination procedures that focus more specifically on security and business continuity planning.

Examiners can incorporate the procedures in either an IT or safety and soundness examination targeting the FedLine application in the scope. The procedures need not be used in their entirety and all of the work steps need not be performed. However, the examiner should perform sufficient procedures to arrive at a conclusion regarding the quality of risk management practices governing the funds transfer function.

TIER I OBJECTIVES AND PROCEDURES

Objective 1: Determine the scope and objectives of the examination of the FedLine FT application. Examiners need not perform every examination procedure or include every objective in developing the examination strategy.

1.	Review past documents for comments relating to the FedLine FT application. Consider:
		Regulatory reports of examination.
		Internal and external audit reports.
		Supervisory strategy documents, including risk assessments.
		Examination work papers.
		Correspondence.
	While reviewing this documentation, consider the implication of the findings for the institution’s internal control environment as it relates to FedLine FT. More specifically, assess:
		Internal controls including logical access, data center, and physical security controls.
		Compliance with Federal Reserve System Operating Circulars, Nos. 5 and 6.
2.	Obtain an inventory of any computer hardware, software, and telecommunications protocols used to support the wire room or funds transfer operation in addition to the FedLine PC.
3.	Identify during discussions with financial institution management:
		A thorough description of the funds transfer activity performed in-house, including activity volumes by dollar and number of transactions and the scope and complexity of operations
		A thorough description of any outsourced funds transfer-related services, including the use of third-party software products that generate funds transfer messages in addition to FedLine. Determine the financial institution’s level of reliance on these services.
		Any significant changes in the funds transfer operation since the last examination, particularly the introduction of any new funds transfer services.
		A description of all reports and logs used by management to verify appropriate staff access to the FT application.
4.	Review the financial institution’s response to any funds transfer issues raised at the last examination. Consider:
		Adequacy and timing of corrective action.
		Resolution of root causes rather than specific issues.
		Existence of outstanding issues.
Objective 2: Obtain information needed for the examination using FedLine reports and screen prints.
1.	Obtain the financial institution’s FedLine user documentation, including the FedLine “Users Guide” and “Local Security Administrator Guide,” for more detailed information on security settings and controls.
2.	Obtain the financial institution’s FedLine PC printer log (Printer Recap Report) for a one-week time period in advance of the on-site examination.
3.	Obtain a screen print of the “Miscellaneous Security Settings” screen (option #99, LA “Entry/Update” access level).
4.	Obtain a “User-ID Status Report” (option #60, LA “Inquiry” access level, type ALL to get all users).
5.	Obtain a “User/Access Report” (option #65, LA “Inquiry” access level, press ENTER key for all users).
6.	Obtain a screen print of the “Update Funds Application Attributes – Funds Transfers” screen (option #96, FT “Managerial” access level).
7.	Obtain a screen print of the “Update Verify Fields – Funds Transfers” screen (option #93, FT “Managerial” access level).
8.	Obtain a screen print of the “Browse Patch Status” screen (option #80, “HD Non-Restricted” access level).
9.	Obtain the active staff “Host User Code” list from the LSA (the LSA should certify the accuracy of the list).
Objective 3: Determine the level of physical security surrounding the financial institutions’ wire room, or work area designated for the operation of the FedLine PC.
1.	Verify whether there is a designated work area supporting the prevention of unauthorized staff and customer access, including the use of a locked room, locked cabinet or PC enclosure, or similar measure restricting access to authorized staff only. Note: Financial institutions may also consider placing the PC in an open staff area during normal business hours if it can be demonstrated that appropriate mitigating controls exist.
2.	Verify whether the FedLine software and other critical information necessary to maintain funds transfer operations in the event of an equipment failure, outage, or declared disaster is appropriately controlled, including securing the following material, under lock and key restricting access to authorized staff only on a need-to-know basis:
		Configuration Diskette – Used in conjunction with the local Federal Reserve Bank office.
		Encryption Material – Refers to information pertaining to the encryption implementation and Federal Reserve Bank supplied encryption keys. FedLine encryption keys are unique to each FedLine PC.
		PC Power-On Password – Requires the use of a password before the FedLine PC will activate.
		Master Local User ID (Master ID) and Password – The master ID and password shipped with FedLine.
Objective 4: Evaluate the control environment and security settings for the FedLine PC and the FT application.
1.	Verify that the miscellaneous security settings are set correctly (refer to Objective 2.3), including:
		User ID suspended after “3” or less tries.
		User must change password every “30” days or less.
		Verification rule set to “E” or “U.”
		Override and release rule set to “E” or “U.”
		Timeout interval set to “10” minutes or less.
		Suppress the Check for Possible Keyboard Eavesdropping set to “N.”
		“Cycle/Date Rollover’s Print Delete Option” set to “Full.”
2.	Review the User ID Status Report and Host User Code list (refer to Objectives 2.4 and 2.9), and:
		Verify staff not assigned more than one user ID per individual.
		Verify the accuracy of the status report when compared to staff currently assigned access to the FT application.
		Verify staff assigned host user codes require host access, and confirm access to the HC application is appropriate.
3.	Review the User/Access Report (refer to Objective 2.5), and:
		Verify staff members assigned LA application access are not assigned FT application access.
		Determine, when more than two staff members are assigned to the LSA role, if the institution has the appropriate documentation justifying this approach.
		Determine if any funds transfer operations staff is not assigned FT application Supervisor or Managerial access.
		Determine if there is adequate separation of duties for funds transfer operations staff members assigned FT application access.
4.	Review the “Update Funds Application Attributes – Funds Transfer” screen (refer to Objective 2.6):
		Verify “Accountable Threshold” set to 0.00 (if greater than 0.00, verify this amount has been approved by the board of directors and noted in the board minutes).
		Verify “OK to Duplicate a Reference Field” is set to “N” (if set to “Y,” review the financial institution’s procedure for avoiding entering duplicate reference number information).
		Verify “Automatically Hold All Accountable Messages From Transmission” is set to “N” (if set to “Y,” evaluate the financial institution’s ability to process funds transfer messages in a timely manner).
5.	Review the “Update Verify Fields - Funds Transfer” screen (refer to Objective 2.7):
		Verify that an “X” is entered for the dollar amount field.
		Determine through discussion or review of written policies whether the financial institution requires other fields to be verified by reviewing for an “X” is entered for these fields.
6.	Verify that the “Master User ID” password has been changed from the original password, re-established under dual-control, and stored in a sealed envelope in a secure location in case the LSA or back-up is not available.
7.	Verify that the FedLine configuration diskette is stored in a secure location and available only to the LSA.
8.	Verify “Encryption Material” is stored in a secure location, and is accessible to only the LSA and LSA back-up designee.
9.	Determine whether the FedLine PC has a power-on password option. If it does, verify that it is activated and is not given to staff assigned the LA access level without a legitimate need to know. If it does not, evaluate the institution’s ability to control staff members assigned the LA access level access to the FedLine PC, including monitoring the FedLine PC during business hours, and physically securing the FedLine PC after business hours.
10.	Review the help desk (HD) application’s “Browse Patch Status”, refer to Objective 2.8, and determine whether the FedLine PC is maintained at current release levels and that all Federal Reserve supplied patches and authorized program changes are applied as required.
Objective 5: Evaluate financial institution procedural controls for both the processing of funds transfer messages within the wire room or funds transfer operation and related standards for the movement of funds into and out of specific customer and institution accounts.
1.	Evaluate the policies, procedures, and supporting documentation describing interfaces between the FedLine FT application and other internal banking processes, including:
		Adequacy of procedures for generating and storing source documents used to process funds transfers, including the appropriate documentation, reference/control numbers, and authorizations.
		Adequacy of procedures for reconciling completed funds transfer transactions with customer and institution accounts.
		Compliance with regulatory requirements, including OFAC verification procedures.
		Adequacy of procedures for using third-party funds transfer software products, if applicable, in conjunction with FedLine, including source document preparation, authorization, reconcilement, and record retention.
2.	Evaluate the financial institution’s information security program, including:
		Documented separation of duties principles, particularly for high-risk areas.
		Defined physical security and logical access control standards, including specific controls for high-risk business activities such as funds transfer.
		Defined risk assessment methodology, including assessing high-risk activities such as funds transfer and other payment-related functions.
3.	Evaluate whether the financial institution’s internal and external auditors:
		Periodically perform independent assessments of the wire room or funds transfer operation, including evaluating internal policies and procedures
		Verify the effectiveness of the wire room or funds transfer operation control environment and business continuity preparedness.
4.	Evaluate whether the financial institution’s policies and procedures for the FedLine printer log (Printer Recap Report) include:
		Adequate procedures to ensure the integrity of the printer log, including appropriate approvals for any breaks in the log printer paper.
		Adequate procedures for an independent periodic management review (not by the LSA or back-up) of the printer log, including the cycle/date rollover and any changes to assigned access levels, security settings, and the addition or deletion of FedLine users.
		A five (5) year printer log retention policy.
Objective 6: Evaluate the effectiveness of the institution’s business continuity planning and disaster recovery capability relating to funds transfer operations.
1.	Evaluate the institution’s ability to send and receive funds transfers in the event of an equipment failure.
2.	Evaluate the institution’s methodology for sending and receiving transfers if required to operate from a different location, including availability of back-up FedLine PCs.
3.	Evaluate the institution’s testing of business continuity plans related to the wire room or funds transfer operation.
4.	Determine whether the institution keeps a back-up copy of the encryption material, PC power-on password, and master ID and password stored off site at a secure location. Evaluate whether staff access to these materials is on a need to know basis.
5.	Determine whether the institution has established an inventory of spare encryption boards, modems, and other PC-related hardware. Evaluate whether these components are stored securely off site and readily available in the event of a device failure.
6.	Determine whether the institution keeps a back-up copy of the most current version of the FedLine software on diskette and stored off site at a secure location. Review whether these back-ups include FedLine software patches as they are issued.
7.	Determine whether the institution periodically generates a static file back-up of all FedLine financial institution-specific information and stores it off site at a secure location (Note: static file back-ups should be performed for all FedLine PCs and stored off site).
CONCLUSIONS
Objective 7: Discuss corrective action and communicate findings.
1.	From the procedures performed:
		Document conclusions related to the quality and effectiveness of the security controls and business continuity planning relating to the wire room or funds transfer operation and FedLine FT application.
		Determine and document to what extent, if any, the examiner may rely upon funds transfer review procedures performed by internal or external audit.
2.	Review your preliminary conclusions with the EIC regarding:
		Violations of law, rulings, regulations, and third-party agreements.
		Significant issues warranting inclusion as matters requiring board attention or recommendations in the report of examination.
		Potential impact of your conclusions on composite and component URSIT ratings.
3.	Discuss your findings with management and obtain proposed corrective action, including time frames for correction, for significant deficiencies.
4.	Document your conclusions in a memo to the EIC that provides report-ready comments for all relevant sections of the FFIEC Report of Examination and guidance to future examiners.
5.	Organize work papers to ensure clear support for significant findings and conclusions.

Previous Subsection Table of Contents Next Subsection           Home IT Booklets Glossary Resources Presentations