All schools that participate in the William D. Ford Federal Direct Loan (Direct Loan) Program are required to implement a quality assurance process within their financial aid office operations. The Direct Loan Program regulations at 34 CFR 685.300(b) (9) require schools to implement and document a quality assurance process to ensure that they are complying with program requirements and meeting program objectives.
Your school must have a quality assurance process in place that documents that the school is:
Reporting loan records, disbursements, and adjustments to disbursements correctly to the Common Origination and Disbursement (COD) System,
Disbursing and returning loan funds in accordance with regulatory requirements,
Disbursing the correct loan amount to the correct student, and
Completing monthly reconciliation and Program Year Closeout
To be effective, the steps for implementing a Direct Loan quality assurance process will be unique to each school and need to take into account the characteristics of a school’s academic policies and programs and its borrower population. Schools should use self-assessments to examine their procedures and take action on an ongoing basis to strengthen areas of risk.
The Department of Education (the Department) does not mandate the method by which schools meet the quality assurance requirement. Schools may have institutional-designed assessments and quality assurance processes in place to ensure that the Direct Loan quality assurance requirement is met. However, there are several options and tools available from the Department that can assist schools in meeting the quality assurance requirement. Schools can choose from these tools to best fit their needs.
In collaboration with schools, the Department has designed the FSA Assessments to assist schools with compliance and improvement activities. The FSA Assessments, including Direct Loan-specific activities, are available under “Tools for Schools” on the Information for Financial Aid Professionals (IFAP) Web site.
Regardless of the method or tools a school chooses, it is important to have a clearly documented quality assurance process, to review this process on a regular basis, and document that the process is being used. The quality assurance documentation should be easily accessible and readily available to Department reviewers in the case of a program review or audit.
Protecting Personally Identifiable Information (PII)
“PII is information that can be used to distinguish a person’s identity, e.g., name, social security number, biometric data, etc., alone, or when combined with other personal data, linked or linkable to a specific person, such as date and place of birth, mother’s maiden name, etc.”
Schools that participate in the FSA programs are required to follow Federal Trade Commission regulations. This means that all schools MUST develop, implement, and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards designed to achieve the following objectives:
– Insure the security and confidentiality of personal information,
– Protect against any anticipated threats or hazards to the security or integrity of such information, and
– Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer
***If you do not have a written security plan you are not compliant***
A privacy breach occurs when PII is lost, stolen, disclosed or otherwise exposed to unauthorized people for unauthorized purposes. This includes PII in any format, and whether or not it is a suspected or confirmed loss
Examples of PII breaches:
• PII left on the printer or scanner
• PII e-mailed without encryption or other protection
• PII mailed to the wrong recipient
• PII stored on a stolen laptop or thumb drive
• PII posted to a public-facing website, etc.
Only collect and use information that is absolutely necessary, and only share with those who absolutely need the information
“Review and reduce”—inventory your PII and PII data flows, and look for ways to reduce PII
Follow all Departmental policies and procedures
Think before you hit the “send” button (E-mail is by far the #1 source of breaches)
“Scramble, don’t gamble”—encrypt, encrypt, encrypt
Minimize (or eliminate) the use of portable storage devices
Protect PII on paper—enforce a clean desk policy, use secure shredding bins, locked cabinets, etc.