Reviewing the latest ED guidance from a TPS perspective

Over the last several months, most content about the Education Department’s (ED) Dear Colleague Letter, GEN-23-03, has been geared towards Institutions of Higher Education (IHEs). Here, we share valuable insights and information specifically tailored to the Third-Party Servicer (TPS) community to ensure that TPSs receive the attention and resources they require. This is crucial as current TPSs may be considering withdrawing from Higher Education due to the updated guidance.

Although many TPSs have expressed concern about the potential implications of the recent guidance, it is likely that the Education Department (ED) will retain many of the guidance’s key components. In fact, the trend of expanding the definition of a TPS has been evident since 2012, and we must prepare for the reality that this may be the new norm.

The abundance of information circulating within the edtech and services community may evoke fear, but it's essential to question whether the portrayal of ‘TPS’ as a detrimental classification is accurate. Being designated as a TPS does not necessarily mean the end for companies operating in the higher education space.

Timeline of sub regulatory guidance related to third-party servicers

To be fair, the new TPS requirements and rules will create additional burdens for companies, for example, potentially requiring some to reallocate resources to red tape procedural audits instead of spending on innovation. However, it is imperative to reframe what it means to be a TPS and what measures one can take to prepare for the possibility of the new guidance taking effect despite the industry’s best efforts to prevent it.

Those following the industry news are likely aware of the qualifications and obligations that will be required of TPSs. Just in case you missed it, we will summarize the requirements here.

  • The 2023 DCL GEN-23-03 states that an institution cannot contract with a TPS that has:

    • Been limited, suspended, or terminated by the Secretary within the preceding five years;

    • Had, during the servicer’s two most recent audits, an audit finding that resulted in the servicer being required to repay an amount greater than five percent of the funds that the servicer administered under the Title IV programs for any award year; or

    • Been cited during the preceding five years for failure to submit audit reports required under Title IV of the HEA in a timely fashion.

  • Additionally, if the servicer (or its subcontractors) is located outside of the United States or is owned or operated by an individual who is not a U.S. citizen or national or a lawful U.S. permanent resident it is prohibited from being a TPS. This prohibition applies to both foreign and domestic institutions.

If the TPS meets eligibility requirements based on those terms, then the TPS must agree to the following in all of its contracts with IHEs:

  • Be jointly and severally liable with the institution for any violation of Title IV requirements resulting from the functions performed by the servicer;

  • Comply with all applicable statutory, regulatory, and other Title IV requirements, including submission of TPS compliance audits;

  • Refer any suspicion of fraudulent or criminal conduct regarding administration of the institution’s Title IV programs to the Department’s Office of Inspector General;

  • Confirm student eligibility and return Title IV funds (if required) when a student withdraws from the institution if the servicer disburses Title IV funds; and

  • Return all records related to the servicer’s administration of the institution’s participation in the Title IV programs to the institution, and if the servicer disburses or releases Title IV funds, return all unexpended Title IV funds to the institution, if the contract with the institution is terminated, or the servicer ceases to perform any functions prescribed under the contract for any reason including non-payment of financial obligations by the institution.

Additionally, the TPS contract must include the following:

  • Accurately and specifically detail the functions that the servicer and its subcontractor(s), if applicable, will perform on behalf of the institution, as well as the functions that will or must be completed by the institution;

  • Identify the TPS by its legal name and include any other name under which the servicer does business (d/b/a);

  • The physical address and primary telephone number of the servicer’s primary location, as well as the name, title, telephone number, and email address of the president or chief executive officer of the entity; and

  • If a TPS subcontracts any of its contractual responsibilities, the contract must identify each subcontractor and clearly describe the functions performed on behalf of the servicer and institution by the subcontractor.

Finally, there are two requirements specific to Student Data Security:

  • Institutions are subject to the information security requirements for financial institutions established by the Federal Trade Commission (FTC) under the Gramm-Leach-Bliley Act (GLBA). Institutions must take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for customer information and require service providers by contract to implement and maintain such safeguards.

  • The institution must require the TPS to agree to comply with all aspects of the Family Educational Rights and Privacy Act (FERPA) with regard to the receipt and use of any education records provided by the institution.

It is understandable to feel overwhelmed by the amount of information presented and required of TPSs. In response, we recommend reframing the information and looking at it from an auditor’s perspective. What will an auditor do to verify your organization is meeting all of these requirements? Well, the answer lies in the audit guide. For most of what we just described, the auditor will rely on these procedures:

Third-Party Servicer Audit Guide C.11.a-c

The procedures listed above largely cover the requirements we just described except for the FERPA and GLBA/FTC obligations. To verify those, your auditor will perform the following:

Third-Party Servicer Audit Guide C.8.6.a-c

Assuming you meet the new eligibility requirements, what should you do next? Here is what we recommend:

  1. Collaborate with the institutions you serve to revise your contractual agreements, ensuring comprehensive coverage of all required components. Keep in mind that you are jointly and severally accountable for any ED fines or penalties at your client institution. Therefore, review and modify your contracts to mitigate your risk exposure, assess your client risk profile, and assess the services you provide to high-risk clients. Additionally, you should consider evaluating your insurance to ensure sufficient coverage in the event of any penalties imposed by ED.

  2. Develop an information security program, if one is not already in place, to facilitate the protection of student information in accordance with the Safeguarding Student Information (SSI) guidelines and to comply with the necessary elements of the GLBA/FTC and FERPA regulations. Don’t forget about the two requirements identified in the GENERAL-23-09 announcement on February 9, 2023, which are not referenced in the latest audit guide published in March 2023. These two additional elements apply to TPS with over 5,000 consumers.

  3. Consider engaging an auditor and begin preparations for the audit process for your organization. We suggest that you carefully examine the audit guide before approaching potential auditing firms. It is important to keep in mind that the audit guide is a reference, and your organization should collaborate closely with the auditor to ensure that the audit approach adheres to your comprehension of the TPS requirements and to agree upon the audit methodology.

  4. Also, don’t forget to complete the Third-Party Servicer Data Form attached to DCL GEN-23-03 and email or mail it to ED by 9/1/2023.

So, after reviewing all the guidance and documentation, the question is: is being a TPS really that bad? We don't think so. And honestly, we don't think it's a good reason for most organizations newly defined as TPSs to exit the sector. We've seen in the past few decades that when the rules change, some businesses thrive while others struggle. The ones that are flexible enough to see these changes as opportunities and adjust accordingly usually come out on top.

As leaders in higher education, we have a responsibility to advocate for meaningful changes in regulatory oversight while also pushing back against overreaching regulations that could shutter an industry with unintended consequences. We are committed to monitoring the latest TPS-related developments and will release additional materials in the future concerning the latest requirements. Specifically, we plan to cover topics related to best practices for preparing for an annual independent audit, when to use supplemental audit letters (see Q&A ADT-Q1), and other pertinent matters.

We hope this comprehensive overview has helped with your understanding of the recent TPS changes. Also, we welcome your feedback regarding our position or interpretation of the guidelines on this subject, as well as your recommendations for future topics we should address. Please feel free to contact us via our designated contact us page or share your thoughts in the comments wherever this article is shared.

Update: 4/12/2023: We have published a second article focused on ADT-Q1, Supplemental Audit Letter Requirements & Best Practices