May I assume that you refer to the Federal Reserve Banks' Security and Resiliency Assurance Program requirements? For the benefit of other readers, the FRB provides direct access to Federal Reserve Bank required payment and information services and applications through various services collectively known as FedLine.
Institutions using FedLine Services must complete a self-assessment to ensure compliance with the required security controls. All service providers and financial institutions are expected to complete the Assurance Program requirements annually. The security and control procedures for each FedLine Solution contain security controls relevant to the specific FedLine Solution. These security controls may apply to your service providers as well.
As for the assessment, each institution is permitted to determine the methodology in which it conducts the self-assessment. As long as the self-assessment is sufficient to enable the institution to submit the attestation. Although I don't have any assessments to share, I believe you can leverage your existing third-party due diligence questionnaire to some degree. I would start with your existing information security controls questions and compare them to the controls specified in the security and control procedures for each FedLine Solution specific FedLine Solution. That should give you a good start. But, I would love to hear what other members might recommend.
Original Message:
Sent: 04-20-2022 12:55 PM
From: Anonymous Member
Subject: Risk Assessment for the US Federal Reserve Bank
This message was posted by a user wishing to remain anonymous
Does anyone have a Risk Assessment for the US Federal Reserve Bank they are willing to share? If you have opted out of the risk assessment, what was the documented reason you provided for the opt out?
Thank you