Publication Date: January 9, 2015
DCL ID: GEN-15-01
Subject: Third-Party Servicer Institutional Requirements and Responsibilities
Summary: This letter provides guidance to institutions that contract with third-party servicers to administer any aspect of the institution’s participation in the student assistance programs authorized under Title IV of the Higher Education Act of 1965, as amended (HEA). For more information, see 34 C.F.R. § 668.2 (definition of third-party servicer); 34 C.F.R. §§ 668.23, 668.25; Dear Colleague Letter GEN 12-08.
We have determined that a significant number of institutions have failed to report, update, and/or have reported incorrect third-party servicer information on the institution’s Application for Approval to Participate in the Federal Student Financial Aid Programs (E-App), under the regulations at 34 C.F.R. § 668.25. We are aware that some servicers have told institutions not to report them as third-party servicers, creating confusion regarding what entities should be reported as third-party servicers. We have developed this guidance to provide clarity on the third-party servicer requirements of the regulations.
What are the activities performed by a third party that determines if that entity is a third-party servicer under the regulations?
Under the regulations at 34 C.F.R. § 668.2, a third-party servicer is any individual or entity that contracts with or performs work on behalf of an institution to administer, through manual or automated processing, any aspect of an institution’s responsibilities under the Title IV, HEA programs. As provided in the regulations, an institution’s Title IV responsibilities include, but are not restricted to, performing one or more of the following:
Processing of student financial aid applications, including Free Application for Federal Student Aid (FAFSA) or pre-FAFSA completion services performed on behalf of an eligible institution;
Collecting, reviewing, and/or maintaining supporting documentation required to process Title IV funds;
Awarding, certifying, originating, and/or disbursing Title IV funds;
Delivering Title IV credit balance refunds to students or parents (via cash, check, Automated Clearing House (ACH), debit card, or other means);
Providing financial aid counseling, including assistance to students or parents in person, over the phone, or by any electronic means, including operation of call centers;
Performing default prevention/management functions for Direct Loan, Federal Family Education Loan, and/or Perkins Loan programs, including cohort default analysis, enhanced loan counseling, delinquency assistance, development/implementation of a default management plan, and/or other default prevention outreach activities;
Providing entrance and exit loan counseling, including in person, by mail, or electronically;
Performing Federal Perkins Loan servicing or collections;
Financial aid consulting, including financial aid staffing, interim management, processing support, and/or development and maintenance of written policies and procedures;
Preparing and/or submitting required reports including enrollment reporting to the National Student Loan Data System, the Integrated Postsecondary Education Data System, Campus Crime and Security, and the Fiscal Operations Report and Application to Participate reporting; and
Preparing or disseminating required consumer information disclosures, including general, campus crime, drug and alcohol prevention, graduation rates, placement rates, and gainful employment disclosures.
As provided in the regulations, performance of one or more of the following does NOT create a regulatory third-party servicer relationship:
Publishing, providing, and administering ability-to-benefit tests;
Financial and compliance auditing, including preparation of financial statements;
Mailing of documents prepared by the institution;
Warehousing of records; and
Providing computer services or software as long as the provider is not responsible for using the software for the institution’s student aid purposes.
The exclusion for “providing computer services or software” is limited to computer products and/or services that reside at and are under the control of the institution. The exclusion does not apply if the provider performs any Title IV activity and/or maintains any student level information. Similarly, the exclusion for the “warehousing of records” is restricted to the physical storage of Title IV related records. Entities that host secure portals or similar technologies for the transmission and/or electronic storage of and access to Title IV-related documents are considered third-party servicers and must comply with all regulatory requirements.
Institutional Requirements for Reporting Third-Party Servicer Information
Institutions must report, using the Department’s E-App process, the names of any individual or entity that performs for, or on behalf of, the institution any of the Title IV functions listed above. The information must be reported within 10 calendar days of the institution entering into a contract (or any other written or oral agreement) with the third party. This reporting requirement also applies whenever there is any substantial modification to an existing contract or agreement or the termination of a contract or agreement. 34 C.F.R. § 668.25(e).
Third-Party Servicer Contract Requirements
When contracting with an institution for performing or providing any relevant Title IV function, the servicer and/or any of its contractors, essentially “steps into the shoes” of the institution with respect to compliance with the requirements for institutional administration of the Title IV student assistance program activity. The institution must ensure that its contract with any third-party servicer contains the required elements outlined in the regulations at 34 C.F.R. § 668.25(c).
In the contract, the third-party servicer must agree to comply with all statutory and regulatory provisions applicable to the Title IV functions provided by the third party. The third-party servicer must agree to abide with any special arrangements, agreements, limitations, suspensions, and terminations that apply to the institution under Title IV of the HEA. This includes the requirement to use any funds that the servicer administers under any Title IV, HEA program and any interest or other earnings solely for the purposes of that program. 34 C.F.R. § 668.25(c)(1).
The contract must also indicate that a servicer agrees to:
Refer to the Office of Inspector General (OIG) of the Department any information indicating there is reasonable cause to believe that the institution or an applicant for Title IV, HEA funds might have engaged in fraud or other criminal misconduct (34 C.F.R. § 68.25(c)(2));
Be jointly and severally liable with the institution for any violation of Title IV, HEA requirements resulting from the functions performed by the servicer (34 C.F.R. § 668.25(c)(3));
Confirm the eligibility of a student before disbursing Title IV, HEA funds to a student and to calculate and return any unearned Title IV, HEA funds in accordance with the provisions of 34 C.F.R. §§ 668.21, 668.22 in the case of a third-party servicer that is involved in the process of disbursing Title IV, HEA funds (34 C.F.R. § 668.25(c)(4)); and
Return to the institution all records and Title IV funds in the servicer’s possession pertaining to the institution’s participation in the program or programs if the servicer or institution terminates the contract, if the servicer stops providing services for the administration of a Title IV program, or the servicer files a petition under the Bankruptcy code (34 C.F.R. § 668.25(c)(5)).
In addition, the contract must identify the third-party servicer by its legal name and by any other name the servicer does business as (d/b/a). The contract must provide the physical address and primary phone number of the servicer’s primary location, as well as the name, title, phone number, and e-mail address of the president or chief executive officer of the entity. The contract must clearly describe the specific Title IV functions that the third-party servicer will perform for the institution. If a third-party servicer subcontracts any of its contractual responsibilities, the contract must identify the subcontractor and clearly describe the functions performed on behalf of the servicer and school by the subcontractor.
In certain circumstances a third-party servicer may be considered a school official for the purposes of the Federal Family Educational Rights and Privacy Act (FERPA) and, in those circumstances, is permitted to receive and use personally identifiable information (PII) from education records without the student’s consent to the same extent as is permitted for a school official or employee. If a servicer is using the PII to set up a bank account for the student or to maintain a credit balance for the student, it must obtain prior written consent of the student. See 34 C.F.R. §§ 668.164(c)(3)(i), 668.165(b)(1)(ii).
FERPA regulations describe the conditions that must be met for a contractor or other party to whom an institution has outsourced institutional services or functions to be considered a school official under FERPA. Specifically, the contractor or the other outside party must:
Perform an institutional service or function for which the school would otherwise use employees;
Be under the control of the school with respect to the use and maintenance of education records; and
Comply with the FERPA requirements governing the use and redisclosure of PII from education records. 34 C.F.R. § 99.31(a)(1)(i)(B).
A school official may disclose PII from education records to a third-party servicer that meets the above criteria without the student’s consent, but only if the school official determines that the third-party servicer has “legitimate educational interests.” 34 C.F.R. § 99.3(a)(1)(i)(A). Each postsecondary institution is required to include the criteria for who is considered a “school official” and what is considered a “legitimate educational interest” in its annual notification of rights under FERPA. 34 C.F.R. § 99.7(a)(3)(iii).
Contractors to whom institutions disclose PII from students’ education records may use that PII only for the purpose(s) for which they are disclosed. 34 C.F.R. § 99.33(a)(2). For a third-party servicer, that purpose is the Title IV function the servicer has contracted to perform on behalf of the institution.
Security Information Program Requirements
Postsecondary educational institutions participating in the Title IV, HEA programs are subject to the information security requirements established by the Federal Trade Commission (FTC) for financial institutions. These FTC requirements also apply to Title IV third-party servicers. The requirements apply to all customer information in an institution’s possession, regardless of whether such information pertains to students, parents, or other individuals with whom the institution has a customer relationship, or pertains to the customers of other financial institutions that have provided such information to the institution. Customer information is any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of the institution or its affiliates. As a financial institution covered under these information security requirements, an institution must develop, implement, and maintain a comprehensive information security program.
The information security program must be written in one or more readily accessible parts and contain administrative, technical, and physical safeguards that are appropriate to the size and complexity of the school, the nature and scope of its activities, and the sensitivity of any customer information at issue. Under these provisions, a service provider is any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly with an institution. Institutions must take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue and require service providers by contract to implement and maintain such safeguards.
See 15 U.S.C. §§ 6801(b), 6805(b)(2); 16 C.F. R. §§ 313.3(n), 314.1–5; Gramm Leach Bliley Act, Pub. L. No.106-102
Third-Party Servicer Compliance Audits
In general, under the regulations at 34 C.F.R. § 668.23(c), a third-party servicer must submit annually to the Secretary its compliance audit no later than six months after the last day of the servicer’s fiscal year. The Department is aware that some third-party servicers have not filed annual compliance audits due to an incorrect assessment of whether the entity meets the regulatory definition of a third-party servicer and/or based on the omission of specific audit procedures in the OIG Audit Guide for some services or functions performed on behalf of an institution. Third-party servicers that are subject to the audit requirements outlined in 34 C.F.R. § 668.23(c) that did not submit a required audit(s) for one or more years must:
Submit a compliance audit no later than one fiscal year subsequent to the date of this letter; and
Submit a letter to the Department within 60 days of the date of this letter describing the Title IV-related functions the entity performs on behalf of higher education institutions along with an explanation of the reason(s) the servicer did not submit its required compliance audits.
Additional guidance concerning audit requirements will be forthcoming. Letters should be submitted to:
Ralph A. LoBosco, Director
Federal Student Aid
Third-Party Servicer Oversight Group
United States Department of Education
1010 Walnut Street, Suite 336
Kansas City, MO 64106-2147
If you have any questions about the information contained in this Dear Colleague Letter, please contact the Third-Party Servicer Oversight Group by e-mail at FSAPC3rdpartyserviceroversight@ed.gov or by telephone at (816) 268-0543.
Lynn B. Mahaffie
Acting Assistant Secretary
Office of Postsecondary Education