Gramm-Leach-Bliley Act for Financial Aid Val Meyers Associate Director Michigan State University

GLB Act – who is affected  Federal Trade Commission Regulation  Applies to all institutions that act in a banking capacity  Applies to universities that make loans and/or do loan collections  This includes Perkins Loans, institutional loans, and “school-as-lender” FFELP

GLB Act – what it means  Requires institutions meet standards related to safeguarding customer financial information  Deadline for compliance was 5/23/03  Two major areas  Privacy of information  Safety of information

Privacy of Information  Universities who abide by FERPA are meeting the criteria to protect information privacy  FERPA – Family Educational Rights & Privacy Act  Protects the privacy of all student educational records, including financial information

FERPA Requirements  You should have a written policy in place  Staff should have periodic training  Exceptions are “need to know” within the institution  Audits  Law enforcement with proper legal documents  Financial servicers or partners (i.e., loan servicers, collection agencies)

FERPA Extended  To comply with GLB, financial information for non-students must also have privacy protection  Apply FERPA policies to parents and anyone else for whom you make loans

Safety of Information  Natural Disaster  Human Error  Deliberate Fraud  Corruption of Data  Theft of Hardware, Software, Reports  Unauthorized Access

Safety of Information  Natural Disaster  Backups in remote locations  Human Error  Audit trails, reports  Deliberate Fraud  Separation of Duties

Safety of Information  Corruption of Data  Secured Access  Anti-virus software  Firewalls & hacker protection

Safety of Information  Theft of Hardware, Software, Reports  Secure during non-business hours  Work areas require escort  Documents control  Shred discards  Keep unauthorized visitors away from documents

Safety of Information  Unauthorized Access  Password access  Anti-hacker software  Policies on who may receive reports and files from your office  Privacy shields on computers

Task Force Concerns  Involve all offices who handle student loan or collections data  Financial Aid  Bursar/Controller  Information Technology/Computer Systems  Recommended addition  University Counsel

Designate a Compliance Office or Officer  Each institution must designate a compliance office or officer who is responsible for holding and monitoring compliance documents

Risk Assessment Documentation  List each privacy and safety concern  Address how your institution minimizes each risk  Documents should be on file from each office that “touches” the data  Third party servicer contracts should contain protective language as well

Contract Language  University Counsel should recommend contract language to be inserted in all university contracts with 3 rd party vendors who have access to your student/parent financial loan data  The deadline to add such language to your contracts was May 2004

Recommended Office Policies  Place all student-specific documents in shredding bins  Verify identity of students & parents before sharing data  Refer 3 rd party requests to your designated staff  May be Compliance Officer, AD or Director  Report computer problems promptly

Other Office Policies  Staff must not share passwords  Lock or power down computers when leaving work area  Shield computer screens and data from other students  Do not leave visitors unattended

Questions & Answers Val Meyers Michigan State University