TREASURY DIRECTIVE 16-02

DATE: August 25, 2022

SUBJECT: Electronic Funds and Securities Transfer Policy Message Authentication and Enhanced Security

  1. PURPOSE.  This Directive states Treasury policy to assure the integrity of the Government's electronic funds transfer (EFT) data.
  2. SCOPE.  This Directive applies to all bureaus, the Departmental Offices (DO), and the Offices of Inspector General. The provisions of this Directive shall not be construed to interfere with or impede the authorities or independence of the Offices of Inspector General.
  3. POLICY.  It is the policy of the Department of the Treasury that EFT transactions be properly authenticated and protected.
    1. Authentication measures must conform to the International Organization for Standardization (ISO) 16609 (2012) “Requirements for Message Authentication Using Symmetric Techniques” and related standards or an equivalent authentication technique. This standard establishes a universally applicable method to authenticate financial messages, including fund transfers, letters of credit, security transfers, loan agreements, and foreign exchange contracts which are transmitted by electronic means. These measures shall be applied to Federal systems, which originate, transmit, relay, receive, or process Federal Government EFT transactions to prevent the undetected, deliberate, or inadvertent unauthorized manipulation, modification, or loss of EFT data.
    2. Equipment designed and used to perform the authentication function must comply with the National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) Publication 140-3, "Standard Security Requirements for Cryptographic Modules," dated March 22, 2019, which specifies the security requirements that will be satisfied by a cryptographic module utilized within a security system protecting sensitive but unclassified information.
    3. Data must be encrypted, at a minimum, in accordance with NIST FIPS Publication 197, “Advance Encryption Standard (AES),” dated November 26, 2001, or any subsequently updated NIST encryption standards recommended for the Federal government’s use.
  4. DEFINITIONS.
    1. EFT Wire Transaction.  This is defined as the movement of value from one party to another by electronic means. This does not include physical media transfers by magnetic tape, cartridge, diskette, or other similar technology.
    2. EFT Other Media Transaction.  This is defined as the movement of value from one party to another through magnetic tape, cartridge, diskette, or other similar technology.
    3. Federal EFT System.  A system owned, rented, or leased by the U.S. Government to originate, transmit, relay, receive, or process EFT data.
  5. RESPONSIBILTIES.
    1. The Fiscal Assistant Secretary is responsible for:
      1. 1) implementing the provisions of this Directive within the Department and Governmentwide, under the authority of Treasury Order (TO) 106-09; and
      2. 2) determining, on a case-by-case basis, the application of EFT authentication to other media transactions.
    2. The Assistant Secretary for Management, Heads of Bureaus, and the Inspector General, as it relates to their respective bureaus and offices, shall:
      1. 1) ensure that all Federal EFT wire transaction systems shall be in compliance with the provisions of this Directive; and
      2. 2) ensure that all new Federal EFT systems and interfaces between systems comply with the provisions of this Directive.
    3. The Assistant Secretary for Management, or designee, shall:
      1. 1) certify and maintain a list of approved authentication equipment and software techniques;
      2. 2) provide technical support to aid in supporting this Directive, which includes maintaining sources of key material, evaluating appropriate levels of physical and ADP security, and maintaining workable doctrine on the implementation of the X9.9 Standard; and
      3. 3) approve all equipment and techniques used in conjunction with this Directive.
  6. CANCELLATION.  Treasury Directive 16-02, "Electronic Funds and Securities Transfer Policy Message Authentication and Enhanced Security," dated December 21, 1992, is superseded.
  7. AUTHORITY.  Treasury Order 106-09, "Electronic Funds and Securities Transfer Policy -- Message Authentication and Enhanced Security," dated June 8, 2021.
  8. REFERENCES.
    1. NIST FIPS Publication 140-3, “Security Requirements for Cryptographic Modules,” dated March 22, 2019.
    2. NIST FIPS Publication 197, “Advance Encryption Standard (AES),” dated November 26, 2001.
  9. OFFICE OF PRIMARY INTEREST.  Office of the Fiscal Assistant Secretary.
 
/S/
David A. Lebryk
Fiscal Assistant Secretary