ED OIG OFFERS CLARIFICATION ON SINGLE AUDIT SUBMISSION REQUIREMENTS

Some people still don’t seem to understand the 2018 guidance for submitting Single Audit to ED. Simply stated, if you are a submitting an audit for a public or private non-profit institution, you must submit a single audit each year. This is true whether your school’s Student Financial Aid Cluster was audited as a major program or not. If you submit a single audit that includes the SFA Cluster as a major program, you must notify the ED School Participation Division in your region of any low-risk designation beginning with fiscal year 2019.

 

REPORTING FOREIGN OWNERSHIP, CONTROL, GIFTS AND CONTRACTS

As a condition of an institution’s Program Participation Agreement (PPA), colleges, universities and postsecondary schools are legally obligated comply with the statutory requirement to report on ownership/control by and gifts/contracts with foreign sources which is found in HEA Sec. 117 [20 U.S.C. 1011(f)]. Section 117 requires institutions to report ownership and control by foreign sources as well as gifts from, and contracts with, foreign sources that have a value totaling $250,000 in a calendar year. If an institution receives a gift or contract equal to or greater than that amount it must report it to the Department of Education by January 31 and July 31 each year. In a recent electronic announcement, the Department of Education reminded institutions that fail to comply might be referred to the Department of Justice for failing to meet their obligations. Institutions can submit their report by entering the information in Section K, Question 71 of their E-App, and submitting it through the usual process.
Presently the Office of Management and Budget is reviewing the regulatory burden for a new reporting system ED plans to roll out in time for the January 2020 reporting deadline. If it’s approved, schools will have an additional option for submitting the required reports. Should the OMB approve the new system, FSA will provide information in a future electronic announcement.


UPDATE: The OMB did not grant approval to ED for the emergency information collection of foreign gift reporting, thus the new portal is not available for this cycle. A notice was posted int he federal register informing stakeholders of a new information request which will allow the public 30 days to comment on the proposal.

ED ANNOUNCES REVISED POLICY FOR STANDARD TERM LENGTH

For financial aid purposes, Standard Terms are by far the simplest to administer of all the academic calendar options. Over the years, academic calendars have evolved from the traditional academic calendar of a 15-week semester in the fall and a 15-week spring semester or its equivalent in trimesters or quarters, as a result of changes in curricula, new delivery modes, and innovative and flexible program schedules designed to meet the needs of students.

Institutions have been asking for flexibility to modify their terms to meet the Standard Term parameters for a long time. Programs got longer and scheduling longer programs became a challenge for institutions. In some cases, they found it simply wasn’t possible to arrange their coursework in way that would meet the criteria ED specified in its longstanding policy for Standard Term length.  Although Standard Terms don’t have a statutory or regulatory definition, the Department of Education’s policy narrowly defined what a Standard Term was and wasn’t. When a program doesn’t meet ED’s criteria for Standard Terms, we call those either nonstandard term or non-term programs. When an institution runs a program offered in a nonstandard term or non-term academic calendar, the rules for disbursing Title IV aid become much more complex.

“Yesterday’s announcement from ED is bigger news than most people realize because it gives institutions the flexibility to deliver innovative programs and specialized coursework while simultaneously simplifying the process of administering disbursements for those who make the change to standard terms.”

Under the department’s old policy, programs offered in credit hours but offered in terms that were either not substantially equal in length or longer than the maximum length promulgated in ED policy were required to be treated as nonstandard term programs. For many institutions, the revised policy ED released earlier this week provides them with much more flexibility to deliver education to their students in Standard Terms without the additional burden imposed on non-term and nonstandard term programs for administering Title IV aid.

Take Pell Grants for example. Standard Term programs base a student’s Pell Grant eligibility off a student’s enrollment status in each term (think, full-time, 3/4-time, half-time etc.), and the term start and end dates. But in Nonstandard Term programs you can’t simply base aid off enrollment status. Instead a student’s award must be multiplied by a fraction that represents the weeks of instructional time in the term divided by the weeks of instructional time in the program’s academic year. This is particularly important in programs that are at least an academic year in length and have a remaining portion of the program that is shorter than an academic year in length.

Things get a little more complicated when it comes to Direct Loans. For a term-based program using credit-hours, a student could receive a Direct Loan disbursement in the spring term even if they failed courses in the fall term, as long as the student was making satisfactory academic progress. However, if the program used nonstandard terms that are not substantially equal in length, they had to use the nonterm-based rules for Direct Loan disbursements and monitor annual loan limit progression accordingly. Those rules require that a student must successfully complete all the coursework in their payment period with a passing grade to receive a second or subsequent loan disbursement in the next term.

The administrative burden imposed on Financial Aid offices under the nonterm rules are onerous for institutions because of the increased monitoring and coordination needed to ensure that aid is properly awarded and disbursed to students.

It creates a problem for students too because failing coursework inevitably leads to delays in the institutions ability to release FSA funds to students. In this situation, a student, might not be able to receive their spring Direct Loan disbursement until the end of the spring semester.

Under the revised policy, terms that are not substantially equal in length can now be considered standard terms, and the number of weeks in any given term can even vary from year to year without affecting the standard term nature of a program. As a result, programs that disburse Title IV aid using nonstandard term rules, but can now meet the expanded criteria in the Department’s revised policy for standard term length, can use the new rules for standard terms if they choose to. Doing so can significantly reduce administrative requirements related to disbursing title IV, so it’s really something to look at closely.

While institutions have always had the flexibility to self-determine which academic calendar they are using for Title IV disbursement purposes (and the risk of liability if they made an incorrect determination on their own and disbursed aid under the wrong formula), yesterday’s announcement from ED is bigger news than most people realize because it gives institutions the flexibility to deliver innovative programs and specialized coursework while simultaneously simplifying the process of administering disbursements for those who make the change to standard terms under ED’s revised (expanded) Policy for Standard Term Length.


Institutions with questions pertaining to this or other matters of compliance with Accreditation, Federal Student Aid standards are welcome to contact our offices for additional assistance.

FINAL ACCREDITATION AND STATE AUTHORIZATION REGULATIONS RELEASED

The United States Department of Education published final accreditation and state authorization regulations in October. The rules which will govern accrediting agencies and how they accredit institutions, as well as state authorization rules for distance education providers will have two different effective dates. Most of the published regulations will take effect on July 1, 2020, however some of the provisions were scheduled for early implementation beginning on November 1, 2019.

600.2 – Institutional Eligibility

600.9 – State Auth – Religious Institutions

668.43 – State Complaint Process

668.50 – Institutional Disclosure for Distance Programs

The remaining regulations pertaining to the Department’s recognition of accrediting agencies, will take effect on July 1, 2021.

SUMMARY OF MAJOR POLICY CHANGES RELATED TO ACCREDITATION

  • Eliminate geography to determine an accreditor’s scope of recognition and clarify that institutional mission, rather than geographic location, should guide the quality assessment of an institution and its programs.
  • Affirm that accreditors must respect the mission of an institution of higher education that relies upon religious tenets, beliefs, or teachings.
  • Encourage institutions to evaluate the merit of transfer credits and prior learning assessment more fairly to reduce the need for students to take – and pay for – the same classes twice.
  • Allow accreditors to establish different methods of monitoring institutional success, based on the mission of the institution and the goals of its students.
  • Provide flexibility for accreditors to support innovation in higher education, recognizing that innovation has inherent risk, and monitoring the innovation carefully to intervene when student success is at risk.
  • Engage employers more directly in the evaluation of program quality and allow for institutional decision-making models that give employers a more prominent role in recommending program or curriculum updates.
  • Provide opportunities for accreditors to increase standards for accountability, while also providing an appropriate amount of time for institutions to make the changes needed to meet those standards.
  • Allow accreditors to take earlier action when institutions are struggling to require teach-out plans and permitting accreditors to permit teach-out agreements before a school announces its closure.
  • Reduce credential inflation, especially in programs that lead to a State license, to allow low income students the opportunity to pursue those occupations and to ensure that the cost of qualifying for work does not exceed a graduate’s likely earnings.
  • Reduce the time and complexity associated with approving an accreditor’s application for initial or renewal of recognition.

SUMMARY OF MAJOR POLICY CHANGES RELATED TO STATE AUTHORIZATION

  • Make clear that an institution must identify the State in which a student is “located” and, therefore, the State in which the institution must have authorization.
  • More clearly define State authorization reciprocity agreements and reaffirm that they meet the requirements of the State authorization regulations for States that elect to participate in them.
  • Expand consumer protections for students who are enrolled in programs that lead to occupational licensure, including those enrolled in ground-based courses or programs.
  • Reduce the disclosures that institutions must provide students to reduce the cost and burden of distributing them and increasing the chances that students will consider them.
  • Eliminate requirements for States to establish new or separate consumer complaint processes for students enrolled in distance learning programs, while providing other options to ensure consumer protection.
  • Enable institutions to determine the States for which it will determine occupational licensing requirements, while requiring institutions to report that information accurately to students.
  • Enable students to continue their education, even if work or military service requires them to move to a new State, and to allow students to complete internships with potential future employers, without adding new State licensing fees to their institutions.

Institutions with questions pertaining to this or other matters of compliance with Accreditation, Federal Student Aid standards are welcome to contact our offices for additional assistance.


UPDATED – QUESTIONS REMAIN ON RECENT COLLEGE CYBERSECURITY VULNERABILITIES

On July 17, the U.S. Department of Education’s Office of Federal Student Aid issued an Electronic Announcement regarding what they deemed an “active and ongoing exploitation” of a known vulnerability potential in some versions of Ellucian’s Banner software. According to FSA’s “Technology Security Alert, the vulnerability affects Ellucian Web Tailor versions 8.8.3, 8.8.4, and 8.9 and Banner Enterprise Identity Services versions 8.3, 8.3.1, 8.3.2, and 8.4. Pointing to advisory bulletin by the National Institute of Standards and Technology (NIST), FSA reported that hackers may be able to breach the system through an institutional account and could then potentially use that access to set up “thousands of student fake student accounts”. The Department says that 62 colleges or universities have been identified which may be affected. Federal Student Aid’s Cyber Incident Team is working with institutions to identify if systems were impacted and to facilitate the necessary fixes. FSA asked institutions using Ellucian Banner to do the following:

  1. review the vulnerability details as provided in NIST advisory CVE-2019-8978;
  2. contact Ellucian to receive information needed to patch or upgrade affected systems; and
  3. respond immediately to the Department via email to both FSASchoolCyberSafety@ed.gov and CPSSAIG@ed.gov.
  • Include the following information in your email:
  • Institution’s Name
  • Information Technology (IT) Contact at Institution (Name, Email Address, Phone Number)

Ellucian has since pushed back on ED’s characterization of the nature of breach and its impact, stating that Banner’s potential software vulnerabilities, which were brought to light by both Ellucian and the National Institute of Standards and Technology in May, are unrelated to some of the other cybersecurity concerns outlined by ED. Ellucian said neither they nor ED have reason to suspect that a breach occurred as a result of the Banner software vulnerability. Schools using the impacted software should implement the system patch issued by Ellucian in May, if they have not already done so.

This is the second summer in a row that ED released a Technology Security Alert. In August of 2018, FSA released a warning about a malicious phishing campaign aimed at student email accounts. Officials cautioned that cybercriminals could change student account information including information such as direct deposit banking information which could be used to funnel student refunds and aid distributions into accounts controlled by the attackers. FSA offered this guidance to institutions:

How to protect IHEs: FSA strongly encourages IHEs to strengthen their cybersecurity posture through the use of two-factor or multi-factor authentication processes. These types of authentication rely on a combination of factors, for example, username and password combined with a PIN or security questions or access through a secure, designated device.

If you believe your institution has fallen victim to an attack, report the incident immediately to cpssaig@ed.gov and FSASchoolCyberSafety@ed.gov. Include the following:

  • Name of the institution
  • Date the incident occurred (if known)
  • Date the incident was discovered
  • Copy of the phishing email (if available)
  • Extent of the impact (number of students)
  • Remediation status (what has been done since discovery)
  • Institution point of contact

Suggested remediation steps if an institution falls victim to the attack:

  • Temporarily freeze refund requests until the scope of the incident can be known. Note, refunds must still be provided within regulatory guidelines which may require a change in how impacted IHEs issue refunds, e.g. issue paper checks.
  • Temporarily disable changes to direct deposits for refunds.
  • Block IP addresses observed in institution logs related to the attack.
  • Disable campus credentials or passwords for potentially affected students and require password resets.
  • Perform additional forensic analysis on server and application logs from recent weeks.
  • Notify all students, warning them of active phishing attempts and encourage them to be vigilant and careful about using links and entering personally identifiable information into websites.

UPDATED – On Tuesday August 6, the Department of Education released an updated Technology Security Alert regarding the vulnerability in Banner Web Tailor and Banner Enterprise Identity Services.

The Department dialed back their claims that Banner products were affected and instead point to vulnerabilities in “third-party software” being used as “front-end access points to the Ellucian Banner System and similar administrative tools”. The Department also confirmed what Ellucian has been saying all along – “To date, based on reports from targeted institutions, we have not found any instances where the Ellucian Banner System vulnerability has been exploited or is related to the issues described in the original alert.”

In an emailed statement from Ali Robinson, an Ellucian spokesperson, he said

“Research by the Department has found:

  • no instances where the known Banner vulnerability has been exploited or where it is related to the issues described in the original alert.
  • an industry-wide issue in which attackers use automation tools to submit fraudulent admission applications in order to obtain new student accounts.

Additionally, I should note that, Ellucian has conducted its own research and monitoring that has produced no evidence of any attempt to attack the known Banner vulnerability.”

The Department is advising institutions to  review any third-party front-end applications to ensure that they are not introducing unpatched vulnerabilities, or increasing the risk of potential future issues through automation attacks. The Department reccommends that insitutions implement human validation checks as part of their front-end portal submission process.