Effective August 1, 2014, the Federal Reserve Banks are amending Operating Circular 5, Electronic Access. These revisions mainly address the recent move toward using the FedLine Web® channel for the submission of certain regulatory reports, as well as changes in technology and related terminology. A number of the revisions also relate to institutions’ responsibilities for their own security environment and new notification requirements relating to suspected unauthorized use of electronic connections and suspected disclosures of confidential information.
Key changes made by this amendment include the following:
- The definition of “Institution” in paragraph 1.1 has been broadened to include non-depository institution users of electronic connections for submitting regulatory reports and for other uses.
- Paragraph 1.4, Institution’s Security Obligations, has been revised to include additional affirmative security obligations regarding the prevention of fraud and unauthorized access, as well as heightened notification requirements about loss or security incidents.
- Paragraph 2.0, Participant’s Equipment and Software, now explicitly provides that a Reserve Bank’s knowledge of noncompliance by an institution or its service provider with Reserve Bank requirements for computers and associated equipment does not constitute the Reserve Bank’s approval of the noncompliance. It also states that noncompliance with Reserve Bank requirements is solely at the risk of the institution and its service provider, where applicable.
- Paragraphs 4.7 and 4.8 have been revised to use the more comprehensive term “Malware” rather than “virus” for malicious code that may disrupt the operations of computers or software. In addition, paragraph 4.8 now explicitly requires institutions and their service providers to institute or reinforce procedural controls, such as ensuring the timely patching of software, and regular scanning or assessment of their enterprise environments for vulnerabilities and other exposures.
- Paragraph 5.1, Responsibility for Access Control Features, includes more-specific provisions regarding institutions’ responsibilities for preventing and detecting unauthorized logical and physical access to security tokens, passwords, routers, and other access control features associated with the communication facilities used to exchange data with the Reserve Banks.
- Paragraph 5.3, Compliance with Reserve Bank Standards, has been revised to include an explicit requirement that institutions and their service providers implement additional security measures as necessary with respect to their own operating environments.
- Paragraph 5.4, Confidentiality of Reserve Bank Proprietary and Security-Related Information, has been revised to require institutions and their service providers that become aware of any suspected or confirmed unauthorized disclosure or use of confidential information to immediately notify the Reserve Banks of the unauthorized disclosure or use and to take all reasonable efforts necessary to prevent further unauthorized disclosure or use.
This amendment incorporates a number of other, less significant changes. The definitive text of revised Operating Circular 5 is posted on FRBservices.org.
Your continued use of Federal Reserve Bank services on or after August 1, 2014, constitutes agreement to the new terms of the operating circular.
See the link below on the Federal Reserve Bank Services website for the official version of the amended operating circular. To request a paper copy of any operating circular, contact your Customer Contact Center.
“FedLine Web” is a registered service mark of the Federal Reserve Banks. A complete list of marks owned by the Federal Reserve Banks is available at FRBservices.org.