(GEN-23-03) Requirements and Responsibilities for Third-Party Servicers and Institutions (Updated May 16, 2023)

Publication Date
February 15, 2023
DCL ID
GEN-23-03
Subject
Requirements and Responsibilities for Third-Party Servicers and Institutions (Updated May 16, 2023)
Summary
This letter updates guidance to institutions that contract with a third-party servicer (TPS) to administer any aspect of the institution’s participation in the student assistance programs authorized under Title IV of the Higher Education Act of 1965, as amended (HEA).

Note

On May 16, 2023, we published Dear Colleague Letter GEN-23-08, which rescinded the Department’s prohibition on contracting with foreign or foreign-owned third-party servicers and further delayed the implementation of the remaining guidance in this letter regarding third-party servicers. The Department stated that it plans to publish revised guidance with an effective date at least six months after its publication. Please see Dear Colleague Letter GEN-23-08 for more information.

On Feb. 28, 2023, we updated this letter to extend the public comment period, establish a future effective date for the guidance, and extend the reporting deadline for institutions and third-party servicers.

On Feb. 16, 2023, we corrected the content of the table titled "Recruitment- and Application-Related Activities" to add information that was inadvertently omitted during the publication process.

Dear Colleague:

Since we issued our most recent Dear Colleague Letters regarding third-party servicers, the U.S. Department of Education (Department) has reviewed numerous contractual arrangements between institutions and outside entities. These reviews have confirmed that most activities and functions performed by outside entities on behalf of an institution are intrinsically intertwined with the institution’s administration of the Title IV programs and thus the entities performing such activities are appropriately subject to TPS requirements. The HEA makes clear that agreements to administer “any aspect” of an institution’s participation in the Title IV programs fall within the scope of the Department’s TPS oversight authority. 20 U.S.C. § 1088(c). The information gathered in the Department’s review highlighted the need for an updated list of functions and activities that fall within the scope of the TPS requirements.

In particular, the Department is revising its guidance concerning the functions of student recruiting and retention, the provision of software products and services involving Title IV administration activities, and the provision of educational content and instruction. The Department is aware that a large and growing industry has developed to provide one or more of these services as a means of transitioning academic programs into a distance education format and expanding enrollment. Companies providing such services are sometimes referred to as “online program managers,” or OPMs. An April 2022 Government Accountability Office (GAO) report defines OPMs as generally providing services that include “market research, marketing and student recruiting, enrollment management, student retention services, and technology-related support.” The GAO report goes on to state that, based upon information it obtained from a market research firm, at least 550 institutions worked with an OPM as of July 2021 and that the market continues to grow. As described in Dear Colleague Letter GEN-22-07, the Department has separately become aware of non-compliance with limitations on the portion of an eligible academic program that can be provided by a third party.

Although the functions described above are subject to important statutory and regulatory limitations, such as the prohibition on incentive compensation for recruitment and limitations on the percentage of an academic program that can be provided by an ineligible institution or organization, the Department has not previously notified the community that the performance of these functions subjects an entity to TPS requirements. The Department’s recent review of these functions, and the 2022 GAO report cited above, have made clear that the Department must conduct oversight of the entities performing these functions to ensure compliance with the TPS requirements. We therefore issue this guidance to clarify that entities performing the functions of student recruiting and retention, the provision of software products and services involving Title IV administration activities, and the provision of educational content and instruction are defined as third-party servicers. As such, the institutions that contract with these entities are subject to reporting requirements with respect to the entities, and the entities themselves are subject to annual non-federal audits of the Title IV-relevant functions they perform, if such functions are covered by the audit guide.

The Department wishes to ensure that eligible institutions and third-party servicers have a clear understanding of the requirements for third-party servicers and a reasonable amount of time to comply with those requirements. Therefore, the guidance in this Dear Colleague Letter will not become effective until September 1, 2023. Reporting requirements will also go into effect on that date.

On the effective date, the guidance in this letter will update and replace past guidance provided in Dear Colleague Letters GEN 12-08GEN 15-01, and GEN 16-15 (as amended by our March 8, 2017 electronic announcement), and those documents will be rescinded.

Third-Party Servicer Definition and Activities

A TPS is any entity or individual that administers, any aspect of an institution’s participation in the Title IV programs. 34 C.F.R. § 668.2 (definition of a third-party servicer). In general, a TPS performs functions or services necessary—

  • For the institution to remain eligible to participate in the Title IV programs;

  • To determine a student’s eligibility for Title IV funds;

  • To provide Title IV-eligible educational programs;

  • To account for Title IV funds;

  • To deliver Title IV funds to students; or

  • To perform any other aspect of the administration of the Title IV programs or comply with the statutory and regulatory requirements associated with those programs.

To protect the interests of institutions, taxpayers, and students, an institution may not contract with a TPS to perform any aspect of the institution’s participation in a Title IV program if the servicer (or its subcontractors) is located outside of the United States or is owned or operated by an individual who is not a U.S. citizen or national or a lawful U.S. permanent resident. This prohibition applies to both foreign and domestic institutions.

Additionally, under the regulations at 34 C.F.R. 668.25(d), a TPS may not have –

  • Been limited, suspended, or terminated by the Secretary within the preceding five years;

  • Had, during the servicer’s two most recent audits, an audit finding that resulted in the servicer being required to repay an amount greater than five percent of the funds that the servicer administered under the Title IV programs for any award year; or

  • Been cited during the preceding five years for failure to submit audit reports required under Title IV of the HEA in a timely fashion.

If the Secretary determines that a TPS has not met the required standards of conduct or has violated its fiduciary duty, the Secretary may fine the servicer or limit, suspend, or terminate the servicer’s participation in the Title IV programs under 34 C.F.R. part 668, subpart G. A former TPS, once subjected to a termination action by the Secretary, may not enter into a written contract to administer any aspect of an institution’s participation in the Title IV programs unless financial guarantees and acknowledgements of joint and several liability under 34 C.F.R. 668.25(d)(2) are provided.

The following set of tables include a non-exhaustive list of functions and services that, if outsourced by an institution to a third party, would render that third party a TPS subject to the TPS requirements. The set of tables also list potential exceptions.

Third-Party Servicer

Not a Third-Party Servicer

The activities, functions, services, or roles in this column ARE considered an aspect of an institution’s participation in a Title IV program, whether performed from a remote location or on-site at an institution, and thus are subject to TPS requirements if performed on behalf of a Title IV-eligible institution.

The institution and TPS are jointly and severally liable to the Department for any violation by a TPS.

The activities, functions, services, or roles in this column ARE NOT considered an aspect of an institution’s participation in a Title IV program and thus are not subject to TPS requirements if performed on behalf of a Title IV-eligible institution.

The institution is solely responsible for any Title IV liability incurred as a result of a non-TPS contractor violation.

Third-Party Servicer

Not a Third-Party Servicer

Interacting with prospective students for the purposes of recruiting or securing enrollment. This includes, but is not limited to, providing prospective students with information on educational programs, application and document requirements, deadlines, and the enrollment process.

Assisting students with the completion of application and enrollment processes. This includes offering admission and enrollment counseling.

Processing admissions applications, including the collection of documents, screening, and/or determining initial or final qualification of applicants.

Establishing or modifying admissions standards for acceptance into the institution or any educational programs offered by the institution.

Processing Title IV student financial aid applications, including FAFSA or pre-FAFSA completion services.

Performing individualized and interactive financial aid counseling in person, over the telephone, and/or by electronic means, including operating call centers and online support/engagement tools to answer general questions and/or assist students through the financial aid processes necessary to award and disburse Title IV funds. Such processes include, but are not limited to, completing the FAFSA, conducting verification, identifying and resolving student eligibility issues, and providing general Title IV counseling.

Conducting, hosting, or assisting with community awareness/public service Free Application for Federal Student Aid (FAFSA®) completion events and/or general financial aid/college presentations open to the public and not limited or restricted to students attending, applying to, or considering applying to a specific institution or institutions (e.g., College Goal Sunday).

Publishing and/or mailing general student financial aid information, policies, procedures, or handbooks prepared by the institution or other entities via print format, audio format, video format, and/or online, as long as such publication does not involve individualized and interactive financial aid counseling.

Third-Party Servicer

Not a Third-Party Servicer

Determining student Title IV eligibility and related activities, such as completing verification, performing satisfactory academic progress evaluations, determining award amounts, performing Return of Title IV aid calculations, and/or reconciling Title IV program accounts.

Processing, awarding, certifying, originating, and/or approving Title IV awards or award packages and/or disbursements, including requests for funding under the advance, heightened cash monitoring, or reimbursement methods of payment.

Administering/proctoring ability-to-benefit tests or establishing or administering any aspect of an eligible career pathway program.

Preparing/submitting required applications or reports, such as an institution’s Application for Approval to Participate in the Federal Student Financial Aid Programs (E-App), Fiscal Operations Report and Application to Participate (FISAP), Integrated Postsecondary Education Data System (IPEDS) reports, or Campus Safety and Security data reports, and/or reporting on behalf of an institution to the National Student Loan Data System (NSLDS).

Publishing ability-to-benefit tests.

Third-Party Servicer

Not a Third-Party Servicer

Preparing and/or obtaining data for required consumer information disclosures, such as:

  • The Campus Security Report (including crime statistics, timely warnings and emergency notifications, crime logs, and emergency response and evacuation procedures)

  • A biennial review of drug and alcohol abuse prevention programs

  • Graduation and transfer rates

  • Job placement rates and/or any related disclosures

  • Title IV loan counseling

  • A preferred lender list

Preparing and/or disseminating promotional materials to market educational programs if the entity or individual provides any technology, curriculum, or faculty, or is otherwise involved in the design or delivery of educational programs.

Conducting campus crime awareness and/or drug and alcohol prevention informational meetings, instructional programming, and/or public awareness campaigns/events that are open to the public and not limited to or restricted to attendance at a specific institution or institutions.

This exclusion does not apply if an institution requires attendance at an event or completion of training to comply with any Title IV requirement (e.g., requirements under the Campus Crime and Security Act or Violence Against Women Act, or Drug and Alcohol policy requirements).

Local or federal law enforcement agencies, fire departments, and/or other public safety agencies providing campus crime awareness and/or drug and alcohol prevention services.

Publishing and/or distributing an institution’s consumer information disclosures or marketing materials online and/or via print, audio, or video formats if the individual or entity does not provide any technology, curriculum, or faculty, and is not involved in the design or delivery of educational programs.

Reviewing or validating graduation, transfer, placement rate, or other data on student outcomes, so long as the entity is not involved in the gathering or analysis of the data or the dissemination of the information.

Third-Party Servicer

Not a Third-Party Servicer

Performing default management/prevention/aversion activities, such as contacting student loan borrowers to discuss repayment options or borrower account history, assisting with completion and/or collection of borrower deferment, forbearance, or repayment plan enrollment forms, performing Title IV loan counseling (including required entrance or exit counseling), implementation and oversight of a written default management plan, and/or accessing borrower information contained in Departmental systems.

Preparing or presenting financial literacy curricula or programming, workshops, and/or public awareness campaigns/events, so long as they are open to participants regardless of whether they receive Title IV aid.

This exclusion does not apply if an institution requires its students to attend a financial literacy event or complete financial literacy training or counseling to satisfy the institution’s exit loan counseling or other Title IV requirements.

Third-Party Servicer

Not a Third-Party Servicer

Cash management functions including, but not limited to:

  • Collecting student credit balance disbursement preferences.

  • Providing terms and conditions and/or disclosure statements related to the disbursement options available to a student or parent.

  • Collecting the financial account information necessary to initiate an Automated Clearing House (ACH) or electronic funds transfer (EFT) transaction of Title IV funds to a financial account designated by the student or parent for the receipt of those funds.

  • Notifying students of the disbursement of Title IV funds and/or the delivery of Title IV credit balances.

  • Receiving and processing electronic files (including files such as disbursement files, payment instructions, and fund wires) to print and mail Title IV credit balance checks and/or deliver Title IV credit balances to students or parents via ACH transactions, debit cards, or other means.

  • Monitoring of undeliverable and/or unnegotiated checks or rejected ACH or EFT transactions involving Title IV funds.

Conducting activities under tier 2 arrangements as described in 34 C.F.R. § 668.164(f).

Initiating or authorizing direct Automated Clearing House (ACH) transactions between an institution’s treasury account and an account designated by a student for receipt of Title IV funds.

Mailing checks issued by the institution.

Third-Party Servicer

Not a Third-Party Servicer

Collecting, reviewing, and/or maintaining the information and/or documentation necessary to make or support student eligibility determinations and/or to disburse Title IV funds to a student or borrower. This includes, but is not limited to, information necessary to validate information reported on a student’s FAFSA and/or to resolve conflicting information, as well as information regarding student disbursement preferences for the delivery of Title IV credit balances.

Warehousing of records, if such activity involves only storage of records and the entity has no access to or control over the data.

The exclusion for the “warehousing of records” is restricted to the storage of Title IV-related records and does not apply if the entity performs any Title IV activity on behalf of the institution within the data storage or hosted environment. For these purposes Title IV activity includes, but is not limited to, remote or automated processing.

The exclusion does not apply if the entity has view or update access to any student-level information within the hosted environment and/or exercises control over the data.

Providing computer services or software in which the provider has access to, or maintains control over, the systems needed to administer any aspect of the Title IV programs, whether through manual or automated processing, including, but not limited to, systems related to financial aid management, recruitment and enrollment, admissions, registration, billing, and learning management.

Providing computer services or software where the provider has no access to and maintains no control over the systems needed to administer any aspect of the Title IV programs.

This exclusion is limited to computer products and/or services that reside at and are under the control of the institution and does not apply if the provider performs any activity on behalf of the institution within a system through remote or automated processing, or if the provider uses or has view or update access to any student-level information in any system used for the administration of any aspect of the Title IV programs.

Third-Party Servicer

Not a Third-Party Servicer

Conducting activities designed to keep an individual enrolled at an institution eligible for Title IV aid. These activities include, but are not limited to:

  • Monitoring academic engagement and/or daily attendance.

  • Conducting outreach to students regarding attendance or academic engagement.

  • Responding to inquiries from students and/or their families regarding assistance or resources designed to help students maintain enrollment in the institution/program or maintain eligibility for Title IV aid.

   

Third-Party Servicer

Not a Third-Party Servicer

Providing any percentage of a Title IV-eligible program at an institution, including:

  • Establishing requirements for the completion of a course and/or evaluating whether a student has met those requirements;

  • Delivering instruction or mandatory tutoring;

  • Assessing student learning, including through electronic means; or

  • Developing curricula or course materials, unless the institution maintains full control of the curriculum/materials and delivers the instruction itself. See previous Dear Colleague Letter.

Providing optional supplementary academic support to students, such as tutoring or other forms of optional academic assistance. This exclusion does not apply if the academic assistance is mandatory or a required part of the academic program.

Selling or providing course materials, if the institution maintains full control of the curriculum and delivers the instruction itself. This exclusion does not apply if the vendor maintains control of the program or materials after selling the materials to the institution or is in any way involved with instruction.

Third-Party Servicer

Not a Third-Party Servicer

Consulting on any topics related to financial aid, including financial aid staffing, interim management, processing support, and/or the development and maintenance of written policies and procedures.

Audit activities, if the individual or entity also performs any other activities related to the institution’s administration of the Title IV programs.

Consulting activities meeting all of the following criteria:

  • The services provided are strictly advisory in nature;

  • The institution employs a separate individual as a financial aid administrator with responsibility for Title IV program activities;

  • The consulting entity does not perform any Title IV activities; and

  • All decision-making and activities related to Title IV administration are carried out by institutional staff not affiliated with the consulting entity.

This exclusion does not apply unless all the criteria above are met.

The performance of only financial and compliance auditing, including the preparation of financial statements and required schedules (such as, Schedule of Expenditures of Federal Awards or the Financial Responsibility Supplemental Schedule), does not create a TPS relationship with the institution.

Third-Party Servicer

Not a Third-Party Servicer

Conducting any activities related to Federal Perkins Loan servicing or collection.

   

In determining whether an entity or individual is subject to the TPS requirements, the Department focuses on the specific services or functions performed by the entity/individual for the institution, as opposed to the entity’s title or a generic description of the types of services provided or functions performed. The Department has observed that providers often offer multiple versions of a product or service and frequently customize a product or service based on an institution’s unique needs. It is possible for an entity to be considered a TPS in relation to one institution and not for another, depending on the specific services or functions that the entity performs for each institution.

An institution must report any individual or entity with which it contracts that meets the TPS criteria listed above using the Department’s E-App process. The information must be reported within 10 calendar days of entering a contract (or any other written or oral agreement) with the third party. This reporting requirement also applies whenever there is any substantial modification to an existing contract or agreement or the termination of a contract or agreement. 34 C.F.R. § 668.25(e). If the institution is unsure of whether an individual or entity is subject to the TPS requirements, or any entity or individual directs the institution not to report the entity as a TPS, the institution should contact its School Participation Division at CaseTeams@ed.gov.

Regardless of whether an entity is considered a TPS for Title IV purposes, the institution has a fiduciary responsibility to ensure that any contracts, policies, procedures, products, or systems used by the institution or its contractors/providers are compliant with applicable laws and regulations. This includes the requirements in 34 C.F.R. § 668.24(f) that an institution be able to access all records (paper or electronic) created or maintained by a third party and to make those records readily available to the Department for review. If the provider or the institution terminates a contract, or the provider ceases to provide the product or service for any reason, including client non-payment, the institution must be able to take possession of all records in the provider’s possession pertaining to the institution’s participation in the Title IV programs and reclaim all Title IV funds held by the provider.

Institutions must also implement appropriate safeguards to protect student records and ensure any information shared from education records is only used for the purposes for which the information was disclosed. The institution will be held responsible for any liability incurred as a result of software deficiencies, data breaches, incorrect consulting advice, lost or damaged records, and/or violations of TPS requirements.

Questions and Answers Related to this Dear Colleague Letter

Third-Party Servicer General Questions (GEN)

Yes. A TPS is an entity or individual that administers any aspect of an institution’s participation in the Title IV programs, regardless of remuneration.

Yes. If a state agency performs Title IV functions or services on behalf of an eligible institution, the state agency is considered a TPS and subject to the applicable TPS regulations.

No. While the Department has oversight authority over a TPS performing Title IV functions for an institution, the Department does not list, endorse, or approve any TPS.

Yes. A TPS is subject to the same incentive compensation prohibitions as an institution. Neither persons nor entities may receive direct or indirect incentive compensation for recruiting or securing the enrollment of students, or for securing financial aid for students. See 34 C.F.R. § 668.14(b)(22).

Yes. A TPS, as an entity acting on behalf of a covered institution, is subject to the loan information disclosure requirements of 34 C.F.R. part 601, subpart B, including the preferred lender disclosure requirements, private education loan disclosure requirements, the prohibition on agreeing to the use of an institution’s name, and complying with the preferred lender arrangement code of conduct. See 34 C.F.R. § 601.10, 601.11, 601.12, 601.21.

It depends upon the nature of the staffing agency and the functions it performs. A temporary staffing agency that does not specialize in, or have a significant presence in, the higher education sector or the administration of Title IV programs is not considered a TPS. As a result, the institution is solely responsible for any liabilities that may result from errors or compliance violations caused by the temporary staff provided by this type of agency. Any attempt by an agency or institution that contracts with it to misrepresent the extent of that agency’s involvement in the higher education sector or administration of Title IV programs, is considered a program violation.

An entity that specializes in, or has a significant presence in, the higher education sector and/or the administration of Title IV programs, and that provides staffing, even on a temporary basis, to support an institution’s administration of the Title IV programs is considered a TPS. Both the institution and the TPS are subject to all applicable TPS-related requirements. The institution and the third-party servicer are jointly and severally liable to the Department for any errors or compliance violations made by the staff provided by the TPS.

It depends on the degree to which the outside entity controls or has access to institutional funds. If an institution contracts with an entity to print and/or mail Title IV credit balance checks or to prepare electronic transfers of Title IV credit balances and those checks or electronic transfers draw funds directly from the institution’s treasury account (the institution’s operating account) or federal funds bank account (an account utilized to receive Title IV funds directly from the Department via G5), the check preparation or EFT entity is not considered a TPS. In these arrangements, the institution is responsible for reconciling its accounts, monitoring undeliverable or un-negotiated checks, and returning funds to the Department within the required regulatory time frames. The institution is solely responsible for any liabilities that may exist as a result of errors or compliance violations that may occur as a result of using the provider to perform these Title IV credit balance tasks.

If, on the other hand, an institution establishes an account at the third-party entity or transfers funds to an account with the third-party entity, or to any of the entity’s affiliated partners, for purposes of writing Title IV credit balance checks out of such an account or creating EFT transactions out of such an account, the third-party entity is considered to be a TPS and both the institution and the TPS are subject to all applicable TPS-related requirements. The institution and the TPS are jointly and severally liable to the Department for any errors or compliance violations made by the TPS.

It depends. If an eligible institution performs Title IV functions or services on behalf of another institution that has the same legal corporate or shared governance system (e.g., a public institution performing functions on behalf of another institution within the same legally established state educational system or a proprietary institution performing functions on behalf of another institution within the same corporate ownership) the institution performing the functions would not be considered a TPS.

If an eligible institution performs Title IV functions or services on behalf of another institution that is not part of the same legal corporate or shared governance system, the institution performing the functions is considered a TPS and is subject to the applicable TPS regulations.

It depends. If an entity or individual is performing the functions necessary to calculate an institution’s placement rates or other outcome metrics, and the institution uses or relies on this information to prepare required disclosures, the entity or individual is considered a TPS. Such functions include, but are not limited to:

  • Contacting former students or their employers;

  • Obtaining information or documentation from a former student, their employer, or other resources to confirm such employment; or

  • Preparing required disclosures.

If an entity or individual is only reviewing institutional information, that review will not by itself result in the entity or individual being considered a TPS. However, if the activities of the entity or individual include gathering data, analysis of data, or reaching out to data providers, the entity or individual is considered a TPS.

Yes. TPS requirements apply when an individual who owns, is employed by, or is associated with an outside entity, including an independent contractor, performs Title IV-related functions or services on behalf of an eligible institution. TPS requirements also apply when an individual designated as an independent contractor performs Title IV-related functions or services on behalf of the institution.

An employee of an institution is not considered a TPS if the employee—

  • Is paid directly by the institution and funds for the individual’s employment have not been provided indirectly by another entity;

  • Performs all duties under the institution’s supervision;

  • Is not employed by or associated with a TPS;

  • Does not perform functions or services on behalf of another institution; and

  • Is not a TPS for any other institution.

Third-Party Servicer Contracts (CNT)

Yes. An institution must enter into a contract with a TPS that clearly and thoroughly describes the services and functions the servicer is responsible for providing or performing on behalf of the institution.

The institution’s notification must include the name and address of the servicer as well as a description of the functions or services that the servicer is performing on behalf of the institution. An institution reports TPS notifications via the Application for Approval to Participate in the Federal Student Financial Aid Programs (E-App) website or its successor website.

Upon request, the institution must provide a copy of its TPS contract (and any modifications) to the Department.

In a TPS contract, the servicer must agree to:

  • Be jointly and severally liable with the institution for any violation of Title IV requirements resulting from the functions performed by the servicer;

  • Comply with all applicable statutory, regulatory, and other Title IV requirements, including submission of TPS compliance audits;

  • Refer any suspicion of fraudulent or criminal conduct regarding administration of the institution’s Title IV programs to the Department’s Office of Inspector General;

  • Confirm student eligibility and return Title IV funds (if required) when a student withdraws from the institution if the servicer disburses Title IV funds; and

  • Return all records related to the servicer’s administration of the institution’s participation in the Title IV programs to the institution, and if the servicer disburses or releases Title IV funds, return all unexpended Title IV funds to the institution, if the contract with the institution is terminated, or the servicer ceases to perform any functions prescribed under the contract for any reason including non-payment of financial obligations by the institution.

An institution must ensure that its contracts accurately and specifically detail the functions that the servicer and its subcontractor(s), if applicable, will perform on behalf of the institution, as well as the functions that will or must be completed by the institution. The contract must identify the TPS by its legal name and include any other name under which the servicer does business (d/b/a). The contract must provide the physical address and primary telephone number of the servicer’s primary location, as well as the name, title, telephone number, and email address of the president or chief executive officer of the entity. If a TPS subcontracts any of its contractual responsibilities, the contract must identify each subcontractor and clearly describe the functions performed on behalf of the servicer and institution by the subcontractor.

In addition, institutions are subject to the information security requirements for financial institutions established by the Federal Trade Commission (FTC) under the Gramm-Leach-Bliley Act. More information can be found on the FTC’s website. Institutions must take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for customer information and require service providers by contract to implement and maintain such safeguards.

Finally, the institution must require the TPS to agree to comply with all aspects of the Family Educational Rights and Privacy Act (FERPA) with regard to the receipt and use of any education records provided by the institution.

Institutions are strongly encouraged to include provisions in any TPS contract to terminate the contract immediately, without penalty, if the institution is notified that the Department has imposed an emergency, limitation, suspension, or termination action with regard to a servicer’s ability to contract with the institution to administer any aspect of its participation in the Title IV programs. Institutions are also strongly encouraged to include similar language to terminate a contract if the servicer is debarred, suspended, or voluntarily excluded from government-wide participation in covered transactions.

Yes. An institution may not contract with or otherwise engage a TPS that:

  • Has been limited, suspended, or terminated by the Department within the preceding five years;

  • Has been convicted of, or pled nolo contendere or guilty to, a crime involving the acquisition, use, or expenditure of federal, state or local government funds;

  • Has been administratively or judicially determined to have committed fraud or any other material violation of law involving federal, state, or local government funds;

  • Has had, during the servicer’s two most recent audits, a finding that resulted in the servicer being required to repay an amount greater than five percent of the funds that the servicer administered under the Title IV programs for any year; or

  • Has been cited during the preceding five years for failure to submit audit reports required under Title IV in a timely fashion.

In addition, an institution may not contract with a TPS to perform any aspect of the institution’s participation in a Title IV program if the servicer is located outside of the United States or is owned or operated by an individual that is not a U.S. citizen or national, or a lawful U.S. permanent resident.

An institution must search the General Services Administration’s System for Award Management site at http://www.sam.gov when it enters into, renews, or revises a contract with a servicer to determine if the servicer is an excluded entity. The institution should keep a copy of the search results in its records.

The Department will notify an institution in writing if the institution reports contracting with a servicer that has been limited, suspended, or terminated by the Department, or if the Department has imposed an emergency action on the servicer.

Yes, an institution is required to obtain a signed Certification By Lower Tier Contractor form from each contracted TPS, as well as each subcontractor that performs work for the institution on behalf of a TPS. A Lower Tier Contractor includes any contracted individual who participates in the institution’s administration of the Title IV programs and is not considered an employee of the institution. The Certification By Lower Tier Contractor form is included as an attachment to the institution’s PPA. The institution must make copies of the form and obtain the signatures of any and all Lower Tier Contractors on those copies. The signed certification(s) must be retained in the institution’s files.

Under joint and severable liability, the Department may seek repayment for Title IV violations from the institution, the TPS, or both.

Since the institution is jointly and severally liable for any violation committed by its TPS, the institution should take precautions during its selection and contracting process and implement procedures with appropriate controls, including periodic assessments, to ensure that the functions or services performed by the TPS on behalf of the institution are performed in compliance with Title IV rules.

Third-Party Servicers – Safeguarding Student Information (SSI)

Yes, under certain conditions. FERPA regulations at 34 C.F.R. § 99.31(a)(4) permit an institution to disclose PII from an education record of a student to a TPS, without consent, in connection with financial aid for which the student has applied or which the student has received, if disclosure of the information is necessary to:

  1. Determine eligibility for the aid;

  2. Determine the amount of the aid;

  3. Determine the conditions for the aid; or

  4. Enforce the terms and conditions of the aid.

The institution must comply with FERPA’s recordkeeping requirements regarding disclosures in 34 C.F.R. § 99.32, which require an education agency or institution to: (1) maintain a record of each request for access to and each disclosure of PII from the education records of each student; and (2) maintain the request record with the student’s education records as long as the student’s records are maintained. The request record must include: (1) the parties who requested or received PII from the education records, and (2) the parties’ legitimate interests in requesting or obtaining the information. If the institution discloses PII from education records with the understanding that further disclosures will be made, the educational institution’s disclosure record must include the names and legitimate interests of any additional parties.

Yes. The PII from education records provided to a TPS is limited to only the information necessary for the TPS to perform its contracted Title IV function(s) or service(s) on behalf of the institution.

The institution must ensure that each TPS uses PII only for the purpose(s) for which the PII was disclosed. For a TPS, that purpose is the Title IV function the servicer contracted to perform on behalf of the institution. Servicers are prohibited from using PII for any other purpose.

The Department will initiate an administrative action against the institution and/or its TPS if a servicer violates this prohibition.

Yes. For both the institution and any TPS, access to information in the Department’s systems may only be used for the specific Title IV function or service that is being performed. The data contained in the Department’s systems, such as the National Student Loan Data System (NSLDS), the Common Origination and Disbursement (COD) System, or the Central Processing System (CPS), are confidential and protected by the Privacy Act of 1974, as amended, and other applicable statutes and regulations.

Failure to comply with the Department’s access and user requirements may result in the organization or individual losing access to the Department’s systems and/or being subject to sanctions including, but not limited to, the initiation of a limitation, suspension, or termination action or a debarment proceeding against the individual, institution, and/or TPS. Each user of a Department system must use his or her own User-ID. That person is responsible for safeguarding the User-ID and password and must not allow use by any other person. Further, sharing or providing data retrieved by an authorized person from the Department’s systems with persons or organizations that are not expressly authorized to receive that information is prohibited.

An eligible institution or TPS that allows unauthorized access to the Department’s systems will be considered to have violated its responsibilities and places itself at risk of losing access to the Department’s systems and data, and of possible loss of eligibility to participate in the Title IV programs.

Yes. Postsecondary educational institutions participating in the Title IV programs are subject to the information security requirements established by the Federal Trade Commission (FTC) for financial institutions. These FTC requirements also apply to Title IV third-party servicers. The requirements apply to all customer information in an institution’s possession, regardless of whether such information pertains to students, parents, or other individuals with whom the institution has a customer relationship, or pertains to the customers of other financial institutions that have provided such information to the institution. Customer information is any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of the institution or its affiliates. As a financial institution covered under these information security requirements, an institution must develop, implement, and maintain a comprehensive information security program.

The information security program must be written in one or more readily accessible parts and contain administrative, technical, and physical safeguards that are appropriate to the size and complexity of the school, the nature and scope of its activities, and the sensitivity of any customer information at issue. Under these provisions, a service provider is any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly with an institution. The institution must take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue and require service providers by contract to implement and maintain such safeguards. Schools must periodically assess their third-party servicers to determine the risk they present and the continued adequacy of their safeguards.

Third-Party Servicer Data Form (DF)

The Third-Party Servicer Data Form is an OMB-approved data collection tool used to validate TPS information that institutions report to the Department and to collect from each TPS additional information needed for effective oversight.

Entities or individuals that meet the definition of a TPS are required to submit the Third-Party Servicer Data Form to the Department and are required to update information provided on the Third-Party Servicer Data Form within 10 days of the date that:

  • The servicer changes its name;

  • The servicer changes the address or contact information for its primary location or additional location;

  • The servicer adds or terminates a contract with an eligible Title IV institution;

  • The servicer buys, sells, or merges with another TPS; or

  • The servicer goes out of business.

The Third-Party Servicer Data Form is attached to this Dear Colleague Letter. Completed forms should be submitted electronically to:

fsapc3rdpartyserviceroversight@ed.gov

or mailed to:

Third-Party Servicer Oversight Group – Data Form
Federal Student Aid
United States Department of Education
1010 Walnut Street Suite 336
Kansas City, MO 64106-2147

To report a service or function that is not listed in Question 16 of the TPS Data Form, the TPS should select “Other” and provide a written description of the services or functions performed.

Third-Party Servicer Audits (ADT)

Yes. A TPS that performs any aspect of an institution’s administration of the Title IV programs must have an independent auditor conduct a compliance audit of its administration of the functions or services that it performs on behalf of eligible institutions, unless the servicer contracts with only one participating institution and the attestation engagement of that institution’s participation involves every aspect of the servicer’s administration of the Title IV programs. A TPS must follow the procedures contained in the audit guides developed by, and available from, the Department of Education’s Office of Inspector General (OIG), provided that the federal student aid functions performed by the entity are covered in the submission.

TPS audits must be submitted annually through eZ-Audit (https://ezaudit.ed.gov) or its successor website. Contact the eZ-Audit Support Team by email at fsaezaudit@ed.gov for assistance with the eZ-Audit registration or submission process.

In cases where any Title IV services or functions performed by a TPS are not covered in the OIG’s audit guide, the TPS must upload a letter as an attachment to its eZ-Audit annual submission that describes the services or functions performed by the entity. The letter must include an assurance from TPS management that the entity complied with all applicable requirements regarding the services and functions that it performed on behalf of eligible institutions.

In addition, the letter must include the following:

  1. The following information regarding the servicer:
    Legal name and d/b/a name
    Address
    Telephone number
    Fax number
    Website URL

    President/CEO name
    Telephone number
    Email address

    Other contact person, title
    Telephone number
    Email address

  2. A detailed description of the functions and services the servicer performs on behalf of the institution(s) with which it contracts. For example:

    • Provide prospective students with information on educational programs, application and document requirements, deadlines, and enrollment steps; or

    • Perform default management/aversion activities such as obtaining student borrower information contained in the Department’s systems, contacting borrowers regarding loan indebtedness, repayment options or loan obligations, assisting with completion and collection of deferments, forbearances, and other loan documents.

  3. A list of the Title IV institutions the servicer performed TPS work on behalf of during the servicer’s most recently ended fiscal year. This list must include each institution’s name and 8-digit OPE ID.

  4. Assurances that:

    1. The servicer’s contract includes all items in 34 C.F.R. § 668.25(c).

    2. The servicer has established a system of internal controls to ensure compliance with the laws and regulations applicable to the services or functions that it provides.

    3. The servicer maintains comprehensive written procedures describing the functions or services it performs on behalf of institutions. These procedures must clearly outline the servicer’s responsibilities and the institutions’ responsibilities.

    4. The servicer complies with all requirements of the Family Educational Rights and Privacy Act (FERPA), as well as the information security requirements. established by the Federal Trade Commission (FTC) for maintaining appropriate safeguards with respect to the education records and student information to which it has access.

    5. The servicer adheres to all Department requirements for accessing and/or granting access to the Department’s systems.

Audit supplement letters must be submitted to eZ-Audit (https://ezaudit.ed.gov). Please refer to the July 17, 2020 Electronic Announcement for further instructions.

A TPS must submit its compliance audit or audit letter annually no later than six months after the last day of the servicer’s fiscal year.

Audit questions should be submitted to the Department of Education's Office of the Inspector General’s (OIG’s) Non-Federal Audit Team by email at oignon-federalaudit@ed.gov.

Contact Information and Implementation

If you have further questions about the TPS requirements discussed in this letter, please use the Contact Customer Support form in FSA’s Partner Connect Help Center. To submit a question, enter your name, email address, topic, and question. When submitting a question related to this Dear Colleague Letter, please select the topic “FSA Ask-A-FED/Policy.”

An earlier version of this letter invited the community to submit comments on the guidance in this letter so that we would have an opportunity to hear from the field about areas that are unclear or could be improved. We recognize that this has created some uncertainty around exactly what requirements and reporting deadlines will apply. Therefore, as noted above, we are adjusting the effective date of the guidance to September 1, 2023. Institutions will be required to report any arrangements with third-party servicers that have not been reported to the Department, and entities meeting the definition of a third-party servicer will be required to submit the Third-Party Servicer Data Form to the Department by that date. Additionally, because we are announcing these changes during a comment period, we have elected to adjust the comment period so that it closes 30 days from the date of this update.

The community is invited to submit comments regarding the guidance presented in this Dear Colleague Letter within 30 days of this update to this letter via the Federal eRulemaking Portal at Regulations.gov, under Docket ID ED-2022-OPE-0103. Information on using Regulations.gov, including instructions for finding a rule on the site and submitting comments, is available on the site under "FAQ." We are especially interested in comments on the impact of continuing the existing limitation on institutions contracting with third-party servicers operating outside the United States or owned or operated by individuals who are not U.S. citizens, nationals, or permanent residents, including how to address the Department’s concerns about the ability to hold such servicers liable if necessary.

Thank you for your continued support of the Title IV programs.

Sincerely,

Annmarie Weisman
Deputy Assistant Secretary for Policy, Planning, and Innovation
Office of Postsecondary Education

Attachments

The Department of Education strives to make all content accessible to everyone. While this document does not currently meet the standards of Section 508 of the Rehabilitation Act of 1973, as amended, Federal Student Aid is working to create an accessible version. If you need access to this document before the accessible version is available, please contact the Information Technology Accessibility Program Help Desk at ITAPSupport@ed.gov to help facilitate.

Third-Party Servicer Data Form in PDF Format, 8 Pages, 471KB

Last Modified: 05/16/2023