DoE’s Third-Party Servicers Dear Colleague Letter: Recommended Next Steps for Vendor Management

Article Third-Party Service Providers
Dear Colleague Letter

 

UPDATE: On Feb. 28, 2023, the Department of Education updated its letter to extend the public comment period, established a future effective date for the guidance to September 1, 2023, and extended the reporting deadline for institutions and third-party servicers.

The recently released Department of Education (DoE) Dear Colleague Letter (DCL) on Third-Party Servicers (TPS) has created widespread confusion and concern across the higher education community as colleges and universities work to determine how new, required responsibilities may impact their current environments.

As stated, the new TPS requirements would mandate institutions to report and register any third-party service providers that administer any aspect of the Title IV or student assistance program. This could include financial aid management, student recruitment and retention, academic engagement, admissions, registration, billing, learning management, educational content and instruction, etc.

The letter required institutions to:

  • Report a third-party servicer within 10 days of contracting through the Department’s E-App process. Ensure contracts include specified terms, and obtain a signed certification form from each third party.
  • Report whenever there is a substantial modification to an existing contract or termination of the contract.

The letter bans the use of foreign-owned third parties, or third parties located overseas or who use non-US based service providers/subcontractors. Therefore, if any current providers are not owned or based in the US, the institution may have to migrate to a new system by the effective date or be ruled as non-compliant with Title IV regulations. For institutions that may have to re-evaluate one or more major systems, this could create significant compliance concerns and challenges that aren’t able to be resolved quickly. Following initial pushback, the DoE extended the required reporting date of May 1, 2023 to September 1, 2023, but even this extended timeframe may be a struggle to meet. The size and complexity of many systems make it difficult to make such a transition within a year, let alone a six-month window.

The letter also prohibits the use of any providers who have had audit findings that resulted in the servicer being required to repay an amount greater than five percent of the funds that the servicer administered, violated certain provisions, or have been cited during the preceding five years for failure to submit audit reports. This becomes an additional challenge as institutional leadership begins to review existing contracts. Where would the institution look to research violations that may have occurred? How would they confirm old audit findings? Who should they ask about repayment amounts?

EDUCAUSE and other higher education organizations have called on the DoE to withdraw this recent guidance. While we wait to determine if and how they will respond, and any actions they might take, many organizations may be planning to wait and see if the requirement is changed. However, it is recommended for schools to start:

  • Documenting and maintaining an inventory of all TPS relationships
  • Reviewing existing third-party contracts and identifying any contracts that may fall into scope
  • Sharing the DCL with your general counsel or legal team to ensure they are aware of the new guidance and can participate in discussions as things move forward
  • Reviewing contract provisions (i.e., confidentiality, non-disclosure, student privacy, etc.)
  • Ensuring all departments are familiar with the decision-making and approval process for selecting and contracting with third-party service providers. You may want to review how this process is structured. How is information communicated and enforced (i.e., do you have a centralized approval process, is approval necessary only for those providers that fall over a specific dollar amount, or is the approval process based on the type of data involved)?
  • Ensuring this process also includes approval for additional services that are added after the initial contract review. For example, if a department suddenly adds a service offering from a third-party that wasn’t in use previously, they may be bringing that third-party in scope for the new requirements. During initial contract reviews, evaluate all available services within an application so you can outline which services would require additional approval prior to usage.

The DCL did not include clear consequences of non-compliance, however, if the DoE finds an institution in violation of Title IV regulations, the institution and students risk losing federal funding. The letter also implies that institutions will be held jointly responsible with the TSP for violations.

All providers must submit a Third-Party Servicer Data Form to the DoE and undergo annual compliance audits. With added requirements for those companies now being identified as third-party servicers, there is a risk they will raise prices or include additional fees to account for the added cost of compliance, which will also impact colleges and universities.

Ensuring you have a clearly defined process for contracting with vendors and monitoring compliance status on an ongoing basis is not new to higher education: it is more strictly enforced under the new PCI DSS v4.0 and was also specifically called out in the updated FTC Safeguards Rule. Regardless of the outcome of the DoE’s decision and scope of the new requirements for Title IV programs, it is increasingly important for organizations to implement a formal vendor management program.

Share

About the Author
Katie Johnson

Katie Johnson

PCIP

Manager, Operations Support

As the manager of Operations Support, Katie leads the team responsible for supporting and delivering CampusGuard services including online training, vulnerability scanning, and the CampusGuard Central® portal. With over 15 years of experience in information security awareness training, Katie is also the Product Lead for CampusGuard’s online training services. As a Senior Customer Relationship Manager for a limited number of customers, Katie assists organizations with their information security and compliance programs and is responsible for coordinating the various teams involved.