The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.
Federal reserve Bank OF DALLAS WILLIAM H. WALLACE DALLAS. TEXAS 7 5 2 2 2 FIR S T VICE P R E S ID E N T January 16, 1985 Circular 85-9 TO: The Chief Executive Officer of all depository institutions in the Eleventh Federal Reserve District SUBJECT Data communications security DETAILS As you are aware, there has been special attention devoted lately to risk on high dollar value payments systems. One such type of risk is fraud risk -- the risk that payments data might be compromised, resulting in loss to a depository institution or its customers. The purpose of this letter is to describe to you the Federal Reserve System's approach to addressing this type of payments system risk for its electronic payments services. As background, it is important to recognize that the nation's payments increasingly are being made in electronic form and frequently involve the transfer of final funds that are made available to depository institutions' customers for immediate use. Moreover, the typical size of a payment sent over electronic funds transfer networks is large; the average value of a Fedwire payment, for example, is $2.2 million. These factors indicate the need for careful attention by all payments system participants to network security. One aspect of network security that is receiving special attention is protection of electronic data as it flows between depository institutions, that is, the security of data flowing over communications lines. We in the Federal Reserve have long emphasized the importance of security on the Fedwire network. Today, additional security enhancements are being planned that we wish to bring to your attention. These security enhancements relate to the protection of data flows over the communications lines and circuits connecting depository institutions with the Federal Reserve Banks. As a general principle, the Federal Reserve's objective is to protect both the integrity and privacy of electronic data flowing between the Reserve Bank and on-line depository institutions, especially data relating to value transfers. Data integrity means securing the data so that it cannot be For additional copies of any circular please contact the Public Affairs Department at (214) 651-6289. Banks and others are encouraged to use the following incoming WATS numbers in contacting this Bank (800) 442-7140 (intrastate) and (800) 527-9200 (interstate). This publication was digitized and made available by the Federal Reserve Bank of Dallas' Historical Library (FedHistory@dal.frb.org) - 2 - altered by unauthorized parties, while data privacy means securing data so that it cannot be intercepted and read by unauthorized parties. The first phase in the Federal Reserve's plan to enhance data security will provide privacy and security through the use of data encryption. The Reserve Banks will release detailed technical specifications for encrypting depository institutions' on-line links to the Federal Reserve beginning in early 1985. These specifications will describe data encryption solutions that will cover the range of connection types -- including leased line and dial-up terminal connections and computer interface connections -under the synchronous communications protocol that is being implemented on all of the Reserve Banks' local networks. The Federal Reserve encourages the encryption of depository institutions connections and it is likely that at some future time, which will be announced in advance, encryption will be required for all SDLC protocol terminals. Further, we are willing to work with computer interface institutions operating under the old BOPEAP protocol to encrypt their links as an interim measure until they convert to the new computer interface protocol. The one-time costs associated with the implementation of data encryption will be recovered from the institution whose link is being encrypted. The one-time fixed costs directly associated with changes at both ends of the connection will be recovered either through a one-time charge or through the monthly lease fee for institutions leasing their terminals from the Reserve Bank. These expenses are likely to be quite modest on an individual institution basis. The host software/hardware costs and ongoing maintenance costs for encryption will be absorbed by the Federal Reserve, to be recovered through the regular fee structure for electronic payments services. Concurrent with the implementation of encryption, the Federal Reserve will pursue research and development for additional data security enhancements to increase further the security of its on-line links with depository institutions. In particular, the Federal Reserve is investigating the use of message authentication codes (MAC) in addition to data encryption. Depository institutions should be aware of the Federal Reserve's continuing and long-term commitment to enhance data security through the use of data encryption and message authentication. We look forward to working with you to ensure that our communications links have the highest possible degree of data security. If you have any questions about the Federal Reserve's general plans in this area, please call Larry J. Reck at (214) 651-6320 or Billy B. Musgrave at (214) 651-6188 of this Bank. More details of the specific implementation programs will be sent to you as soon as they become available. Sincerely yours,