As the pandemic still strongly lingers and most schools have returned to the routine of in-person education, a new administration is settling in, and updates to regulations are on the horizon. As it can be hard enough to keep up with current guidelines while improving on internal processes, we wanted to touch on a couple of subjects and reminders to help you this year.
Student Information Security Policy – Risk Assessment
Since being added as an audit requirement in October 2019, compliance with the Gramm-Leach-Bliley Act (GLBA) and protecting personally identifiable information (PII) has really come into full swing. Especially now, with many institutions offering online or hybrid programs, the way technology has evolved has made it a lot easier to deliver educational materials, as well as enact everyday interaction with students virtually. Cybersecurity has been at the forefront for some time now, but with an increase in data breaches and attacks occurring with colleges and universities, now is the time to beef up your protection.
Schools are required to have an information security policy in place for handling financial and personal data, as part of the administration of your financial aid programs. Your auditor will not only review and evaluate this policy, but will verify that the school has performed the required risk assessments and has documented the safeguards for each risk that may be identified. Failure to perform a risk assessment is the most common audit finding associated with GLBA compliance. As a reminder, any findings noted with your information security gets relayed to the Federal Trade Commission, as well as the Federal Student Aid Cybersecurity Team. With the bulk of personal student information your school may have stored internally, on top of the escalating rise in cyber threats, you need to take it seriously, no matter how small or safe you think your school may be.
The Department typically recommends a risk assessment be performed at least annually to review your processes and account for any changes. Your auditors will request the actual audit evidence of these assessments, along with proof that the appropriate employee and management training took place. The assessment should be designed to provide a measurable and repeatable process to assess a school’s level of cybersecurity risk and preparedness. Auditors also look for a form or document that identifies physical and virtual access points and the possible level of threats that may be associated with your network design. We also examine how information is processed and stored, and the safeguards that were put in place for each risk identified. There is a dedicated information page the Department has provided for Cybersecurity Compliance, but it is also beneficial to run through the most recent FSA Training Conference materials (FSA Conference) to keep yourself updated.
Title IV Credit Balances – Requirements When Student Authorizations are Obtained
The majority of findings we note with credit balances deal with timing issues (CFC111820). However, schools that are financially sound and not under any cash monitoring restrictions are allowed to obtain student (or parent) authorization to hold a Title IV credit balance past the required 14 days. According to Volume 4 of the Federal Student Aid Handbook, if a school holds excess student funds, the school must:
- Identify the amount of funds the institution holds for each student or parent in a subsidiary ledger account designed for that purpose;
Maintain, at all times, cash in its depository account in an amount at least equal to the amount of funds the institution holds on behalf of the student or the parent; and
-Notwithstanding any authorization obtained by the school, pay any remaining balance on loan funds by the end of the loan period, and any other remaining Title IV funds by the end of the last payment period in the award year for which the funds were awarded.
A subsidiary ledger should be a separate ledger or listing that identifies students with current credit balances that are held and their applicable amounts. So at any given time, a school should be able to revert back to this listing and know how much a student is still owed. Having this subsidiary ledger goes hand in hand with the next requirement, which is maintaining, at all times, cash in a depository account of at least the amount of funds held on behalf of the student by the school. The total amount of funds currently held by a school should be easily identifiable, and a school must ensure the total is covered by cash balances in their bank.
Student authorization rules have been around many years, and this is not anything new. Cash management regulations are in effect to allow students to have better access to any overage in Title IV funding to help with cost of living and other expenses. And as a reminder, a student can request that overage at any given point during the period it is held. Though it may seem like a tall order to maintain a subsidiary ledger and monitor your bank balances, that is what’s required by law (34 CFR 668.165) when you obtain student authorization to hold credit balance funds. It’s not quite the luxury and administrative reprieve that schools once thought. The one clear remedy? Do away with student authorizations and pay any applicable credit balance within 14 days of its creation each payment period.
These topics will circulate indefinitely. Whether old, new or a coming attraction, make sure to keep in the habit of staying up to date on Department releases or water cooler talk from your auditors. For everything else, turn to the experts at Sikich.