Effective July 1, 2020, revised Borrower Defense rules went into effect. The prior rules were focused primarily on private and proprietary schools, with broad reporting requirements. The new rules are broken down into two distinct parts, and the ED has clarified that the first part pertains to both private and public institutions. The second part of the rule includes a new financial responsibility composite score calculation and reporting requirement for private institutions. The financial responsibility composite score and reporting requirements are not required for public institutions. These specific institutions are deemed financially responsible, as they are designated as “public” by a state or local government entity.
The first part of the new rules requires reporting of specified triggering events. These triggering events are broken down into two types; mandatory and discretionary triggers. Mandatory reportable triggers include liabilities arising from a settlement or judgment in a court proceeding or having two or more of the discretionary triggers in a fiscal year. Discretionary reportable triggers include violation of security or loan agreements with creditors (even if a waiver can be obtained), citations and/or actions from the accreditation agency, and others. Most of these triggers require reporting to ED within 10 days of the event or notification. Institutions are encouraged to become familiar with these new reporting rules and ensure policies are in place to maintain compliance. Since many of the events may involve different departments, the policies should be communicated across the campus and designated individuals should be assigned to oversee this reporting.
Public institutions are now in year two of audited compliance with the Gramm-Leach-Bliley Act (GLBA) which was initially included in the August 2019 Compliance Supplement. Audit procedures continue to require compliance with GLBA for fiscal years ending in 2020. Compliance with GLBA requires institutions to perform a risk assessment of student information, specifically focusing on financial aid data. This includes addressing three specific areas:
- Annual employee training and management.
- Information systems including network and software design, as well as the way that data is processed, stored, transmitted, and disposed of.
- The detection, prevention, and response to attacks, intrusions, or system failures.
All three of the areas also require a documented safeguard to address the risks identified.
While many institutions may have performed a formal risk assessment with a third-party for year one, the results of that risk assessment should now be a working document. This working document will guide their information security program for audit compliance in year two and beyond. Institutions should continue to review, evaluate, and update their security programs as their environment changes, as this will continue to be a student financial aid audit compliance requirement.
For more information about our Higher Education practice, click here.
This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal, or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute an accountant-client relationship.