Response to 60 Day Comments

Comment

Submitted By

Department’s Response

1. Anonymous agrees that it is important for the Department to have up-to-date business contact information for relevant officers of Third-Party Servicers but does not support the collection of home address, personal telephone number, personal fax number and personal e-mail address for relevant officers.

Anonymous stated this information does not validate information reported by institutions and is not necessary for oversight if the Department has the relevant business contact information in its possession.

Anonymous also expressed concern about the Department’s lack of controls to protect confidentiality.

Similarly, COHEAO requested the Department strike all fields seeking personal information of individuals employed by the third-party servicer (highest ranking officer, primary and secondary contacts of the company/organization).

Anonymous

COHEAO

The Department disagrees with Anonymous’ assessment that obtaining personal contact information for relevant officers employed by a third-party servicer is unnecessary for effective oversight.

As part of its oversight responsibility, the Department must be able to obtain and/or share information timely with owners and officials of entities that perform any aspect of the administration of the Title IV Programs on behalf of institutions. Numerous events in recent years, including but not limited to, precipitous closures, institutional or servicer data breaches, the Covid-19 Pandemic, and natural disasters such as hurricanes, tornadoes, wildfires, and historic flooding have hindered the Department’s ability to issue time sensitive correspondence and/or reach owners or officials with the business information currently provided or publicly available for these individuals.

In response to the concern regarding the Department’s ability to protect confidentiality, the Partner Connect system is a secure, password protected portal and the Department does not release personal contact information in response to Freedom of Information Act requests.

2. Anonymous does not support the requirement to submit copies of all contracts with institutions and subcontractors.

Anonymous stated that institutions are only required to provide contracts with third-party servicers upon the Department’s request when there is a specific issue that requires the Department’s review or oversight.

Anonymous also stated that contracts with institutions and subcontractors are confidential and include proprietary information and trade secrets, such as pricing and detailed lists of services performed. Anonymous expressed concerns regarding the Department’s ability to protect confidentiality and stated that it is inappropriate for the

Department to make a request that would subject a Third-Party Servicer’s trade secrets to potential review by competitors and clients alike.

COHEAO requested the Department eliminate the request for third-party servicers to submit a copy of the company/organization’s contract with each institution because these contracts (including amendments, etc.) are highly confidential and burdensome to produce.

Anonymous

COHEAO

The Department has determined that contracts are required to validate the information reported by institutions and third-party servicers as well as to collect information necessary for the effective oversight of the individuals and entities that subcontract to perform functions and services on behalf of the third-party servicer to fulfill its obligations to an institution.

The Department must have this information to validate institutions correctly reported the services and functions that are being performed on behalf of the institution; ensure debarred individuals/entities are not performing work as subcontractors; and to ensure all functions and services performed by a third-party servicer and its subcontractors is included in the scope of a third-party servicer’s annual compliance audit.

As stated above, the Partner Connect system is a secure, password protected portal. In addition, users will have the ability to identify contracts uploaded in response to this request contain proprietary information.

34 C.F.R. § 668.25(e)(2) does not limit the Department’s ability to require institutions or third-party servicers to submit copies of contracts as part of an information collection request.

3. Anonymous agrees that it is important for the Department to have certain ownership information about the entities that perform Title IV services or functions for institutions, but objects to providing an organizational chart that includes employee names and titles. Anonymous stated the request is overbroad, does not validate the information reported by institutions, and is not necessary for the proper functioning of the Department or effective oversight of Third-Party Servicers. Anonymous also stated that this information will likely be confidential, proprietary, and contain trade secrets.

Anonymous

The Department disagrees with Anonymous’ assessment that the organization chart does not validate information reported by institutions and is not necessary for effective oversight of Third-Party Servicers. The Department has collected organizational charts as part of the current TPS Data Form request since 2015 and has used the form to validate information reported by institutions, as well as an oversight tool to determine if debarred individuals are employed by the third-party servicer.

As stated above, the Partner Connect system is a secure, password protected portal. In addition, users will have the ability to identify organizational charts uploaded in response to this request contain proprietary information.

4. Anonymous expressed concern that the Department is increasing the compliance burden and costs for Third-Party Servicers to comply with the proposed Form by asking for information such as the software systems utilized to perform Title IV services or functions. Anonymous stated that it is unclear why the Department needs to know which software systems are used to perform Title IV services or functions. Similarly, COHEAO requested the Department eliminate the request to provide the name and contact information of the software systems and providers used because it reveals sensitive and confidential information.

COHEAO requested the Department reduce the request for information regarding the Department systems a third-party servicer accesses/utilizes to perform functions to high level and seek information about the systems used by third-party servicers generally but not specifically as to a particular institution.

Anonymous

COHEAO

Third-party servicers frequently download information from both institutional and Department systems into systems owned, operated, and controlled by the third-party servicer or an entity that contracts with the third-party servicer. These systems contain students’ financial, academic, and personally identifiable information (PII). As part of its oversight responsibilities, the Department must know how information is shared, used, and maintained to ensure student information is appropriately safeguarded and the information collected is only used for the administration of the Title IV programs. The Department also needs this information to identify cybersecurity risk and to respond timely in the event of a security breach.

Contracts are frequently customized to meet the needs of an individual institution, including how information is accessed and stored between the institution and its third-party servicers. For effective oversight, the Department must collect this information at the institutional level.

The Department reviewed the software questions and has confirmed the information regarding software providers is needed for appropriate oversight of third-party servicers.

As stated above, the Partner Connect system is a secure, password protected portal and users will have the ability to identify contracts contain proprietary information.

5. Streamline the section regarding Subcontractors and Affiliate information to seek information (i) only about vendors or subcontractors that perform key servicing functions and (ii) that is necessary to validate information and exercise appropriate oversight.

COHEAO

The Department reviewed the Subcontractor and Affiliate Information section and has determined this information is needed to ensure all functions and services performed by a third-party servicer and its subcontractors is included in the scope of a third-party servicer’s annual compliance audit as well as to ensure student information is appropriately safeguarded and the information collected is only used for the administration of the Title IV programs.

6. COHEAO believes it would be more efficient for third-party servicers to provide the services that can be provided and require institutions to provide information regarding the services used at the institutional level.

COHEAO

The Department has determined it is essential for third-party servicers to report the services provided for each institution to validate the information institutions report on the E-App. The Department has noted that institutions frequently report inaccurate information regarding the services third-party servicers perform on their behalf. In addition, the Department has identified deficiencies during program reviews in which institutions believed that a servicer was performing a specific service or function that the servicer was not in fact performing. For effective oversight, the Department must understand both the scope of services offered by a third-party servicer as well as the specific services the third-party servicer provides to each institution. The Department plans to coordinate with institutions and third-party servicers to resolve discrepancies when conflicting information is reported.

7. Anonymous and COHEAO asserts the information request extends beyond the Department’s obligation to supervise and oversee third-party servicers and validate the information it receives from institutions. Both Anonymous and COHEAO requested the Department limit the information sought to the maximum extent possible to reduce the compliance burden of Third-Party servicers.

Anonymous

COHEAO

The Department disagrees with this assertion.

All of the information the Department is seeking will be utilized to validate information reported by institutions and/or to ensure Third-Party servicers and subcontractors are complying with applicable regulations including safeguarding of student information.