The DCL details the existing third-party servicer requirements relating to institutional reporting, contract provisions, FERPA regulations, FTC rules on information security, and third-party servicer compliance audits. Of particular note, the DCL clarifies that entities providing computer services or software are third-party servicers if they maintain any “student-level information” related to the administration of Title IV. The DCL further advises that entities that host secure portals for the transmission or electronic storage of and access to Title IV records are considered third-party servicers.
In December 2014, ED issued a Federal Register notice seeking comments on the process used to report and audit third-party servicers (comments were due January 7th).
As noted in our prior alert, to avoid potential liability and reporting requirements, institutions should use extra care in determining whether the service companies they partner with must be reported as third-party servicers for Title IV purposes. In particular, we recommend that entities that do not intend to act as third-party servicers expressly disclaim such a role in any written contract with a Title IV institution and include language to prevent the institution from erroneously reporting the entity to ED as a third-party servicer.
- While the DCL language is somewhat unclear on this point, we have confirmed through guidance by ED that the DCL is not intended to extend the third party servicer obligations to entities that are not administering aspects of Title IV. Note, however, that FERPA obligations do extend to such entities to the extent they have access to student data.