520 likes | 535 Views
This symposium provides an update on the federal loan servicer recompete, including the goal to ensure affordable repayment plans, quality customer service, reliable information, and fair treatment for all federal student loan borrowers. It also discusses the third-party servicer update and regulatory changes.
E N D
NCHER Knowledge SymposiumNashville, TNFederal UpdateNovember 3, 2016
Today’s topics • Federal Loan Servicer Recompete • Third-Party Servicer Update • Regulatory Update • Q & A
Federal Loan Servicer recompete • Goal: Ensure that every federal student loan borrower has the right to: • an affordable repayment plan • quality customer service • reliable information • fair treatment • ED vision: Build a single online loan management platform with high-quality, one-on-one customer service that helps and guides borrowers through questions or changed circumstances
Federal Loan Servicer recompete • Current practice: • all servicers do everything – not just strengths • Future practice: • One vendor with technical capabilities will build the platform and multiple servicing vendors or “customer service providers” will plug into the platform • No single vendor will be responsible for every aspect of student loan servicing – but the new experience will be seamless to borrowers • FSA will seek additional vendors to provide direct customer service to borrowers
Federal Loan Servicer recompete • Status: in bidding process for servicing platform vendor • Phase I - received five proposals • Phase II - selected three firms to participate • Anticipated contract award - February 2017* • *Press release – Oct. 26, 2016 (see ed.gov website)
Federal Loan Servicer recompete • Key components: • Standardized, ED-branded communication to limit borrower confusion • Streamlined borrower experience via one platform and one web portal • Consistent, high quality customer service practices that treat all borrowers equally • Reduced or eliminated loan transfers (and other disruptions) • Enhanced oversight and accountability that will ensure that borrowers are treated fairly
THIRD-PARTY Servicer UPDATE Definition: An individual, a state, a private, for-profit or non-profit organization that contracts with an eligible institution to administer, through manual or automated processing, any aspect of the institution’s participation in any Title IV, HEA program An entity or individual that is not an employee of the institution that performs services and/or functions necessary: • For the institution to remain eligible to participate in the Title IV programs • To determine a student’s eligibility for Title IV funds • To account for Title IV funds • To deliver Title IV funds to students, or • To perform any other aspect of the administration of the Title IV programs regardless of whether the servicer is compensated for the functions or services performed on behalf of the institution
THIRD-PARTY Servicer UPDATE Examples of servicer functions: • Providing financial aid staffing and/or Title IV processing support • Providing financial aid management support • Accessing ED systems and/or information downloaded from an ED system to perform any Title IV function or service on behalf of an eligible institution • Determining student eligibility and related activities • Preparing/submitting required applications or reports • Performing interactive financial aid counseling in person, over the phone, and/or electronically • Preparing required consumer information disclosures • Performing default prevention/aversion activities • Cash management functions • Perkins Loan Servicing or Collection *For more examples, see 34 CFR§668.2 and Dear Colleague Letter GEN 15-01
Third-Party Servicer Exclusions Excludes Entities or individuals- *Does not include an employee of the institution if the individual: • Works on a full-time, part-time, or temporary basis • Performs all duties under the supervision of the institution • Is paid directly by the institution • Is not employed by or associated with a third-party servicer • Is not a third-party servicer for any other institution • Does not perform Title IV functions or services on behalf of another institution
Third-Party Servicer Exclusions Excludes Entities or individuals- • hired to review and/or revise policies and procedures to correct deficiencies or make recommendations for improvement • hired to publish policies, procedures, handbooks, disclosures, etc. via print, audio, video, and/or online • hired to perform financial and compliance auditing, including preparation of financial statements • assisting an institution in completing and/or submitting its response to a program review, audit, or investigation • from local or federal law enforcement agencies, fire departments, and/or other public safety agencies providing campus crime awareness and or drug and alcohol prevention services
Third-Party Servicer Exclusions Excludes Entities or individuals- • Financial literacy curriculum or programming, workshops, and/or public awareness campaigns/events open to Title IV and non-Title IV recipients • Exclusion not applicable if an institution requires its students to attend a financial literacy event or complete financial literacy training or counseling to satisfy exit loan counseling or another Title IV requirement • Cash Management Exclusions • Tier 2 arrangements as described in 34 CFR 668.164(f) • Direct ACH transactions between an institution’s treasury account and an account designated by a student for receipt of Title IV funds • Mailing of checks produced by the institution
THIRD-PARTY Servicer UPDATE Third-party servicer contracts must: • be written • clearly describe servicer’s functions • provide the servicer’s: • physical address and phone number of the primary location • president/CEO name, title, phone number, and e-mail address • identify any subcontractor and clearly describe the functions performed on behalf of the servicer and institution by the subcontractor
THIRD-PARTY Servicer UPDATE Third-party servicer contracts (cont.) • An institution must take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards to protect customer information and require service providers by contract to implement and maintain such safeguards • An institution must require the third-party servicer to agree to comply with FERPA regarding receipt and use of educational records provided by the institution
THIRD-PARTY Servicer UPDATE February 12, 2015 - Electronic Announcement Subject: Third Party Servicer Data Form – Reporting Requirement Third-party servicers that contract with institutions to perform any aspect of the administration of the Title IV programs must report the names of the institutions it contracts with to ED
THIRD-PARTY Servicer UPDATE Institutions must notify ED using the E-App at eligcert.ed.gov within 10 days of the date it begins, changes, or ends a contract with a servicer to administer any aspect of its Title IV participation • must include the name and address of the servicer • must provide a copy of the contract and modifications to ED, upon request • must obtain a signed Certification By Lower Tier Contractor form from all of its third-party servicers, as well as subcontractors that perform work for the institution on behalf of a servicer (part of the institution’s PPA)
THIRD-PARTY Servicer UPDATE Audit requirement: A third-party servicer performing any aspect of an institution’s Title IV program administration -must have an independent auditor conduct a compliance audit of its administration of the functions or services that it performs on behalf of eligible institutions, unless: • the servicer contracts with only one participating institution, and • the attestation engagement of that institution’s participation involves every aspect of the servicer’s administration of the Title IV programs -must follow audit guide procedures developed by and available from ED's OIG when the entity performs functions covered in the submission http://www2.ed.gov/about/offices/list/oig/nonfed/sfa.html
THIRD-PARTY Servicer UPDATE Audit letter: When a third-party servicer provides Title IV services or functions not covered in OIG’s audit guide, the servicer must submit a letter that asserts it is (or was) an eligible third-party servicer (as outlined in 34 CFR§668 subpart G) to the Third-Party Servicer Oversight Group -must include management’s assertion that it complied with all applicable requirements regarding the services and functions that it performed on behalf of eligible institutions
THIRD-PARTY Servicer UPDATE Audit Letter (cont.) In addition, the audit letter must include the following: • Legal Name , d/b/a, and contact information for the Servicer • A detailed description of the functions and services the servicer performs on behalf of the institutions it contracted with. • A listing of the Title IV institutions the servicer performed work on behalf of, during the servicer’s most recently ended fiscal year. This list must include each institution’s name and OPE ID
Third-Party Servicer Compliance Audit/Letter Address Submit Third-Party Servicer audits and audit letters to: U. S. Department of Education - FSA Third-Party Servicer Oversight Group – Audits 1010 Walnut Street Suite 336 Kansas City, MO 64106-2147 Or send as an encrypted e-mail attachment to: fsapc3rdpartyserviceroversight@ed.gov Submit audit questions to: ED's Office of the Inspector General’s (OIG’s) Non-Federal Audit Team via e-mail: oignon-federalaudit@ed.gov
THIRD-PARTY Servicer UPDATE Audit/Audit Letter Requirements (cont.) • Implementation: • submit missing compliance audit(s) by Dec. 31, 2016 • must include all unaudited periods for the 3 most recently completed FYs • see DCL GEN-16-15 for further “catch-up” details • Ongoing: due no later than 6 months after the servicer’s FYE
Recent regulatory efforts • State Authorization for Distance Education • Teacher Prep – published 10/31/2016 • Borrower Defense – published 11/1/2016 • Rulemaking website: http://www2.ed.gov/policy/highered/reg/hearulemaking/2016/index.html
Borrower defense to Repayment Ensuring Access to BD for All Borrowers • New Federal standard • Individual and group claims processes • Procedural rule to follow • Changes to financial responsibility regulations • New disclosure requirements
Borrower defense to Repayment Ensuring Access to BD for All Borrowers • Access to BD relief for FFEL and Perkins borrowers through Direct Consolidation Loans • FFEL borrowers given the same access to administrative forbearance as DL borrowers during BD claim evaluation • DCL forthcoming • Forbearance provision designated for early implementation on Nov. 1, 2016
Borrower defense to Repayment Ensuring Access to BD for All Borrowers • Applies to Direct Loans first disbursed on/after July 1, 2017 • No longer merely a ‘defense to repayment’; claims can be asserted by borrowers absent a collections proceeding
Borrower defense to Repayment Ensuring Access to BD for All Borrowers • Easier to understand • More accessible • Facilitates collection and review of evidence for resolving claims • Promotes more efficient, transparent, and fair claims processing
BORROWER DEFENSE TO REPAYMENT • Other issues regulated: • Electronic Death Certificates • Nurse Faculty Loans in Consolidation Loans • Interest Capitalization • REPAYE Technical Corrections • Collection Costs • Pre-dispute arbitration ban • Other related issue: • Pell Grant Reinstatement
Dear Colleague Letters *Forthcoming Letters: • Servicemembers Civil Relief Act • Borrower Defense – FFEL forbearance • Closed School Discharge early implementation
Contact Information Third-Party Servicer Oversight Group Ralph LoBosco, Director 816-268-0440 Angela Beam, Compliance Manager 816-268-0543 FSAPC3rdpartyserviceroversight@ed.gov Main Line: 816-268-0543
Contact InformationAnnmarie Weisman,Director, Policy Coordination GroupOffice of Postsecondary Educationannmarie.weisman@ed.govPhone: 202-453-6712
Your Obligation To Protect PII Data Theon Dam Federal Student Aid (FSA) IT Security Specialist November 7, 2016
Agenda • Background • Security Incidents • Why Should we Care About the Sprint Actions • Network Scans/Configurations • Patch Management • Security Policies • Cost of Security Breach • Security Breach Reports • Resources
Background Student Aid Internet Gateway (SAIG) Enrollment Agreement • Entered by each Title IV participating institution • Provide that each institution “must ensure that all Federal Student Aid applicant information is protected from access by or disclosure to unauthorized personnel”. • Identifies applicable regulations including: • HEA (Higher Education Act) • FERPA (Family Educational Rights and Privacy Act) • Privacy Act of 1974
Background (cont’d) Gramm-Leach-Bliley Act (GLBA) • Financial services organization are required to ensure the security and confidentially of customer records and information. This requirement was recently added to the Program Participation Agreement and is reflected in the FSA Handbook. • Safeguards Rule • Applies to financial institutions and those that receive information about the customers of financial institutions • Requires institutions to secure customer information and create a written information security plan that describes their program to protect customer information.
Security Incident In June 2015, the United States Chief Information Officer (CIO) Tony Scott responded to a data breach at a federal agency by launching a 30-day Cyber Security Sprint to improve federal cybersecurity and protect IT systems against evolving threats. As part of this effort, the Federal CIO instructed federal agencies to immediately take a number of steps to further protect information and assets and improve the resilience of federal networks.
Cyber Security Sprint Actions • Scan Networks for Indicators of Compromise • Patch Critical Vulnerabilities Without Delay • Tighten Policies and practices for Privileged Users • Implement Personal Identify Verification (PIV) Cards for Network Access, Especially for Privileged Users • Identify High Value Assets and Review Corresponding Security Protections
Why Should we Care About the Sprint Actions? • These are high priority items for FSA and will likely be reviewed during future sites visits at your locations • Best practices in your toolbox to help protect student information • Help to safeguard against potential student information breaches • Provides a baseline for implementing critical security controls
Network Scans/Configuration • Perform scans on a frequent basis to detect vulnerabilities and to maintain good situational awareness • Use Authenticated Scans whenever possible • Categorized and remediate identified vulnerabilities ASAP • Create Plan of Action and Milestones (POA&Ms) to track vulnerabilities that cannot be remediated in the near term • Use a risk based method for POA&M management, with emphasis on remediating high and medium risk vulnerabilities • Use a server configuration standard such as Center for Information Security (CIS) or DISA Security Technical Information Guidelines (STIGS)
Patch Management • Apply critical patches for vulnerabilities without delay, the vast majority of cyber incidents exploit well known vulnerabilities that are easy to remediate • Evaluate, test and apply other patches within reasonable timeframes (Waiting more than 30 days maybe too long) • Automate and push patches to users so they do not have to perform patch management functions • Don’t forget third party products such as Adobe, these should be automated and patched in a timely manner • Plan for assets and operating system end-of-life (e.g. Windows XP)
Security Policies • Implement policies consistent with emerging technologiessuch as disablement and wiping data from lost or stolen mobile devices • Limit functions that can be performed when using privileged accounts • Minimize the number of privileged users and limit the privileged functions that can be performed remotely • Log privileged users activities and review logs on a regular basis • Encrypt data at rest and in transit using strong encryption
Cost of Security Breach • Costs (keep going up) • $4 million average cost of a data breach • $158 cost per lost record ($221 in the U.S.) • 17 malicious codes hacks, 12 sustained • probes/month • Reissue cards, consumer protection, • insurance, liability
Cost of Security Breach Source: Ponemon.org (2016)
Data Breach Investigations Report • 60% cases: attackers compromise org within minutes. • Nearly 50% of the people open e-mails and click on phishing links within the first hour. • A campaign of only10 e-mails yields >90% chance that at least one person click. • 99.9% of the exploited vulnerabilities had been compromised more than a year after the vulnerability was published. • Half of vulnerabilities were exploited within two weeks of posted. • Malware events focus on: financial services, insurance, retail, utilities, and education. Source: DBIR 2015
Potential Breach Sources Phone numbers Passwords? Informative files Leave information Unlocked screen