third-party servicers

Institutions of higher education (IHEs) and companies providing services to IHEs (including so-called online program managers or OPMs) should take careful note of two announcements by the U.S. Department of Education that could significantly impact the institution/service provider relationship and the Department’s oversight of that relationship.

First, and most immediately effective, the Department has revised its subregulatory guidance regarding the activities that make an entity providing services to an IHE a “Third Party Servicer” (TPS) for Title IV purposes. In a significant expansion over prior guidance, an OPM providing services to an IHE related to student recruiting and retention, providing software products and services involving Title IV administration activities, or providing educational content and instruction are now defined as a TPS. Being defined as a TPS comes with significant increased risk and compliance obligations by the third party and the institution. There is an open public comment period on this change through March 17, 2023.

Read the full text of this Alert on the Duane Morris website.

Important Update: On February 28, 2023, the Department published an update to Dear Colleague Letter 23-03 that makes clear the guidance does not become effective until September 1, 2023. The reporting deadline for institutions and third-party servicers to report to the Department is also extended until September 1, 2023. Further, the Department extended the comment period through March 30, 2023.

On February 28, 2020, the U.S. Department of Education’s Office of Federal Student Aid (FSA) issued an electronic announcement regarding the enforcement of the Gramm-Leach-Bliley Act’s (GLBA) cybersecurity requirements for all institutions of higher education participating in the Title IV, Higher Education Act (HEA) federal student financial aid programs and their third-party servicers. The announcement states that auditors are expected to evaluate three GLBA information safeguard requirements in annual compliance audits of postsecondary institutions and third-party servicers. Any finding of noncompliance will be sent to both the Federal Trade Commission (FTC) and the FSA’s cybersecurity team for further investigation and potential adverse action. All Title IV participating institutions should consult with counsel about the very serious consequences and administrative actions that may be taken if they or their third-party servicers fail to meet the GLBA’s information security requirements.

To read the full text of this Duane Morris Alert, please visit the firm website.