A recent guidance letter from the U.S. Department of Education applies “Third-Party Servicer” regulations to higher education institutions and to their content, software, systems, and services providers. Given the disruption this would cause, EDUCAUSE has asked the department to rescind the letter, fully consult with institutions and their stakeholders, and revise its guidance.
Note: Since publication of this article, the U.S. Department of Education has changed the comment deadline for its third-party servicer guidance from March 29 to March 30. Please see its Requirements and Responsibilities for Third-Party Servicers and Institutions for the official comment period deadline.
In mid-February, the U.S. Department of Education (ED) released a guidance letter (GEN-23-03) that substantially changed the interpretation of its "Third-Party Servicer" (TPS) regulations. Public communications of this type from ED are commonly known as "Dear Colleague Letters" (DCLs). While they do not constitute law or regulation, DCLs explain ED's view of what its regulations mean and how it will apply them. Thus, DCLs set the compliance expectations that covered organizations will have to meet unless one or more of the affected entities are prepared to challenge (most likely in court) ED's interpretation.
If you are not familiar with the TPS concept, don't be surprised. Up to this point, it has applied only to firms that are servicing the federal student aid needs of higher education institutions. However, in what seems to be an effort to extend oversight to online program management (OPM) companies, ED produced guidance in which it used unusually broad language to indicate what the TPS definition and regulations, in its view, now cover.
In the formal response that EDUCAUSE submitted to ED regarding its TPS DCL, we argue that the overly broad terms used in the DCL appear to lack sufficient grounding in law and regulation to support ED's guidance. We also make the point that the relevant statute and regulations do not define what it means for a provider to "administer" or to be responsible for "the administration of participation" by an institution in "student assistance programs" or "a Title IV, HEA program" (as those terms appear in statute and regulation, and are subsequently paraphrased in the DCL). The regulatory definition of TPS provides examples of functions or services that might lead to TPS status, and one might infer to some extent what "administer" or "the administration of participation" means based on those examples. The list of examples is deliberately not exclusive, however, and no actual definitions of the terms are given.
Why does this matter? Whether or not a company may be considered a TPS hinges on whether it is responsible for the administration of an institution's participation in student assistance or Title IV, HEA programs (again, as specified in statute and regulation, respectively). A clear definition of "administer" in this context might go a long way in helping higher education institutions and third-party providers determine what constitutes a TPS in the broader content, software, systems, and services marketplace. Again, though, clear definitions of those terms in this context are exactly what ED's guidance does not provide.
The DCL's definition of "Third-Party Servicer," which is the definition that ED indicates it will enforce under the current guidance, encompasses providers of "functions or services necessary . . . to provide Title IV-eligible educational programs." As some commenters and EDUCAUSE member representatives have noted, this element of the TPS definition, if not clarified in terms of scope, could apply to a very broad range of contractual relationships, since college/university operations to a large extent involve functions or services to support educational programs, with federal student aid (i.e., Title IV) funds playing a major role in financing those programs.
Furthermore, in its examples of the types of activities that could lead to a provider being classified as a TPS, the DCL describes such activities in very broad terms. For example, in the "Computer Services/Software and Record Maintenance" category, a provider that "has access to, or maintains control over, the systems needed to administer any aspect of the Title IV programs, whether through manual or automated processing, including, but not limited to, systems related to financial aid management, recruitment and enrollment, admissions, registration, billing, and learning management" (emphasis added) would be considered a TPS. As written, this description would cover learning management systems (LMSs) and administrative/enterprise resource planning (ERP) systems, whether implemented on campus or in the cloud. An exclusion for locally managed systems is provided, but it is voided "if the provider performs any activity on behalf of the institution within a system through remote or automated processing, or if the provider uses or has view or update access to any student-level information in any system used for the administration of any aspect of the Title IV programs" (emphasis added). Given the common ways in which systems providers support their systems even when installed and operated locally, the exclusion does not seem likely to exclude much at all.
Unfortunately, expansive descriptions like the "Services/Software" example create a severe problem for many institutions when coupled with another TPS provision. ED's guidance on TPSs bars any foreign-owned/located provider from being a TPS. Thus, if your LMS provider, ERP provider, learning content provider, or other provider happens not to be owned or based in the United States, your institution faces the prospect of having to try to migrate to a U.S.-owned/based provider by the September 1 effective date of the DCL or risk being ruled as out of compliance with Title IV regulations. It is hard to see how an affected institution could make such a transition within a six-month window. Making such transitions even in a two-year window would be difficult in many cases.
The fact that ED has not yet updated relevant compliance documentation cited in the DCL to adjust for its new TPS guidance indicates that perhaps the DCL was not intended to cover all that it now appears to encompass. The DCL was originally supposed to take effect the day that it was issued (February 15). Only after the higher education community formally requested an extension of the effective and comment dates for the DCL did ED reset both—the former to September 1 and the latter to March 29. With that in mind, ED should have had the forms that institutions and providers will need to complete to meet their reporting obligations under the DCL already revised to reflect the new range of contractual relationships affected. However, those forms—one for providers and one for institutions (see "Section J. Please tell us about your third-party servicers.")—continue to reflect only the financial aid functions and services that have historically defined TPSs.
The ED Office of the Inspector General (OIG) released its 2023 audit guide for proprietary institutions and TPSs on March 10, and it has been updated to reflect the expansive terms of the DCL.Footnote1 In addition, both the provider and the institution reporting forms, while not updated with references to the newly covered functions and services resulting from the DCL, do include catch-all "Other" categories where the institution or provider is required to identify any relevant services that the form doesn't directly address. Likewise, the OIG audit guide requires TPSs to submit a letter describing any relevant services that are not specifically addressed in the audit guide, so the lack of updates to the reporting forms wouldn't relieve institutions or providers from any compliance obligations. All of this simply calls into question whether ED was truly intending to assert the full extent of regulatory oversight indicated in the DCL.
EDUCAUSE has requested that ED withdraw and revise its guidance. If that does not happen, the following actions will be required from higher education institutions and service providers:
- Institutions will need to identify—and submit information to ED regarding—any contracted company or organization that might now be considered a TPS.
- Institutions will need to ensure that all of those contracts include specific provisions for TPSs as discussed in the DCL.
- Content, software, systems, and services providers now considered TPSs will need to submit the "Third Party Servicer Data Form" to ED and keep it up-to-date over time.
- These providers will need to prepare for and fulfill annual Title IV compliance audits as prescribed in the ED OIG audit guide.
- Both institutions and their providers will need to explore how the ban on foreign-owned/located TPSs affects their ability to work together, which may lead to a determination that an institution must pursue an alternative provider as soon as possible.
While all of these actions would create unnecessary burdens for higher education institutions and their providers, the latter two requirements have the potential to be particularly costly and disruptive. With that in mind, EDUCAUSE will continue working with our institutional members and other organizations to press ED to revisit and revise its TPS guidance. We believe that ED can and should address its legitimate interests without having an undue—and an unduly negative—impact on higher education as a whole.
- See pp. 8 and 162 for references to the DCL (GEN-23-03), and see the bottom of p. 179, which includes rows for "software products and services involving Title IV administration activities" and "educational content and instruction" derived from the DCL as part of the auditor's checklist of services covered by the audit guide. Jump back to footnote 1 in the text.
Jarret Cummings is Senior Advisor for Policy and Government Relations at EDUCAUSE.
© 2023 Jarret Cummings. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.