Amendments to Operating Circulars 4 and 6
July 20, 1999
Circular No. 11168

Revised Security Procedures and Agreements

In connection with the recently announced availability of Triple DES encryption for depository institutions (DI) that use Fedline® software1, the security procedures and related agreements for ACH and Fedwire® funds transfer services have been revised. The enclosed, amended procedures and agreements allow us to offer multiple Level One (for ACH) or online (for Fedwire) security options. The need for this flexibility is becoming increasingly important given the rapid advancements in electronic access methods and electronic security. For example, the Reserve Banks anticipate that, in the future, the on-line and Level One security options may include an Internet access method.

The revised security procedure appendices provide that when a DI uses one of the online or Level One security options, it rejects the other online or Level One security options. In addition, each DI agrees that it will be bound by any transaction, whether or not authorized, if it was issued in the DI's name and accepted by a Reserve Bank in accordance with the security procedure selected by the DI.

Please replace your existing security procedures and agreements in Operating Circular numbers 4, Automated Clearing House Items and 6, Funds Transfer through Fedwire, with the enclosed, revised Appendices A and A-1.

Requirements for Executing New Agreements

The Reserve Banks are implementing the revised appendices now because, with the introduction of Triple DES encryption, current Fedline customers have two online security options. The majority of our Fedline customers will implement the new Triple DES online security option within the next several months. However, there are a number of Fedline customers that may choose not to implement Triple DES at this time due to technical or other business reasons. We strongly recommend that all DIs implement Triple DES at their earliest opportunity.

Because each DI that currently uses the ACH and/or Fedwire service has already executed a security procedure agreement, the Reserve Banks have decided that it is not currently necessary to obtain new security procedure agreements from all customers. However, DIs that choose NOT to implement Triple DES are required to sign and return the revised security agreements to the Federal Reserve Bank by September 30, 1999 unless one of the following statements is true.

You are a computer interface customer.

You are a Fedline customer that uses a link encryptor.

You do not have on-line access.

If a DI uses the services of an ACH service provider or is a party to a Fedwire Third Party Access Agreement, the DI is required to execute new security agreements unless the service provider satisfies one of the above requirements.

DI's that convert to Triple DES by September 30, 1999 are not required to sign new security procedure agreements at this time.

If, after reviewing the above conditions, you are not sure if you are required to sign new agreements, or if you have any questions regarding Triple DES or the revised appendices to our Operating Circulars, please contact your local Fedline customer support area for assistance.

Fedline is a registered trademark of the Federal Reserve Banks.

The availability of Triple DES (Data Encryption Standard) was announced in our letter (pdf - 10kb), dated April 28, 1999.

Fedwire is a registered trademark of the Federal Reserve Banks.