Published on https://fsapartners.ed.gov/knowledge-center/library/electronic-announcements/2024-04-24/service-provider-relationships-glba-compliance
Posted Date
April 24, 2024
Author
Federal Student Aid
Electronic Announcement ID
GENERAL-24-46
Subject
Service Provider Relationships for GLBA Compliance

Federal Student Aid (FSA) has recently received requests from eligible institutions for additional information about information security requirements under the Gramm-Leach-Bliley Act (GLBA). This announcement provides our partners with additional guidance regarding information security certification requirements that are necessary to ensure compliance with GLBA.

Background

On February 9, 2023, FSA announced updates to the GLBA requirements for institutions and third-party servicers (Electronic Announcement GENERAL-23-09: Updates to the Gramm-Leach-Bliley Act Cybersecurity Requirements). On December 9, 2021, the Federal Trade Commission (FTC) issued final regulations (Final Rule) to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the GLBA requirements for protecting the privacy and personal information of consumers which implicates institutions participating in Title IV, HEA programs. The GLBA, among other things, defines a service provider as any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution. An institution's responsibilities regarding service providers are outlined at 16 C.F.R. 314.4(f), which requires the institution to oversee service providers by:

  1. Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue;

  2. Requiring service providers by contract to implement and maintain such safeguards; and

  3. Periodically assessing service providers based on the risk they present and the continued adequacy of their safeguards.

Compliance with GLBA and Requests for Information Security Certification

For purposes of complying with 16 C.F.R. 314.4(f), the Department and FSA are not considered service providers or vendors to institutions for the purpose of cybersecurity compliance with GLBA. Therefore, institutions do not need to request information security certification to comply with the GLBA requirements. The Department, through various systems of records, provides access and disseminates applicant information and other Title IV, HEA student aid information under the Student Aid Internet Gateway (SAIG) Agreement and Program Participation Agreements (PPA) to institutions. Due to the nature of the PPA and applicable laws and regulations related to program participation, institutions participating in federal student financial aid programs do not have service provider relationships with the Department or FSA.

As a reminder, institutions must immediately report breaches within 24 hours after the incident is known or identified. To report a breach with the Cybersecurity Intake Page. If you have questions about the information included in this announcement, or to sign up for our Quarterly Cybersecurity newsletter, please contact FSASchoolCyberSafety@ed.gov.