A new Government Accountability Office (GAO) report released on Monday calls on the Department of Education’s Office of Federal Student Aid (FSA) to improve the consistency of its oversight of lending partners to better protect the personally identifiable information (PII) of students.
“While FSA established requirements for loan servicers and private collection agencies, along with processes for ensuring their implementation that generally adhered to the key practices, the agency had not ensured that controls are tested and results are reported on an ongoing basis,” GAO stated. “FSA’s limited oversight could result in inconsistent or ineffective implementation of security controls, which in turn could have serious consequences for the privacy of millions of borrowers whose information is shared with non-school partners.”
The report detailed how FSA’s oversight and monitoring does not meet guidance provided by the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST). While FSA’s procedures for loan servicers, private collection agencies, and guaranty agencies meet most of the guidance for protecting PII, the agency did not fully implement continuous monitoring measures. The agency maintained conference calls, vulnerability scans, and self-reported assessments with guaranty agencies, but did not receive regular reports. FSA also required loan servicers and private collection agencies to test a subset of security controls quarterly and all controls at least once every three years, but did not specify which controls must be tested. “Without fully establishing policies and procedures for ongoing monitoring of security controls implemented by loan servicers and private collection agencies, FSA has less assurance that these controls are effectively implemented and operating as intended,” the report stated.
GAO also called out FSA’s lack of documentation for partners under the Federal Family Education Loan program, a program which stopped issuing new loans in 2010 but still involves 1,079 lenders. “FSA established high-level requirements for FFEL lenders to protect student aid data, but it exercises minimal oversight to ensure implementation of security and privacy protections for these data,” the report noted. GAO found that FSA did not demonstrate any processes for independent assessments of FFEL lender controls, no process for corrective actions, and no monitoring processes.
In its recommendations, GAO called on FSA to enroll loan servicers and collection agencies in its continuous monitoring program, establish a process to monitor guaranty agencies’ security controls, and develop procedures to assure that FFEL lenders have the proper security controls in place.
In its response, FSA agreed to enroll loan servicers into its continuous monitoring program and outlined a similar procedure for collection agencies, but only partially agreed with GAO on monitoring guaranty agencies, claiming that its current practices provide for annual assessments. FSA disagreed with GAO on developing policies to ensure FFEL lenders have security controls in place, stating “it lacks statutory authority under the Higher Education Act to monitor FFEL lenders in this area.” FSA also noted the existing regulations from other legal authorities for these vendors.