The FTC and its risk impacts on Higher Education

When thinking of the Federal Trade Commission (FTC), banking and consumer protection laws come to mind but recently, FTC rules are impacting colleges and universities. 

One piece of FTC legislation is the “Safeguards Rule”, which requires the development of an “information security program” to protect sensitive data. The rule further mandates any Title IV-participating institution to follow specific guidelines in order to maintain eligibility for federal student financial aid. 

Like banks, colleges and universities maintain and handle significant amounts of sensitive financial data. The spirit of the FTC rule aims to ensure the protection of this data and this results in additional risk and compliance requirements similar to those in the financial industry. 

Why is this important?

The risk of the losing access to be eligible for federal financial aid is a major concern but addressing the cascading downstream effects on the following areas may require new methodologies to comply with regulations :

• Advertising, Marketing and Recruitment Practices:  The FTC issued a Notice of Penalty Offenses to inform educational institutions of certain practices that are “deemed unfair or deceptive.” Deceptive marketing practices are making headlines. Below are some risk considerations:

• Are you aware that third parties used for marketing or recruiting practices must also comply with the rule? Transferring to a third party does not offload the risk. What policies and procedures will you implement to mitigate vendor risk?

• Demonstrating to students and families that your practices are transparent and honest is essential to compliance and to your brand. How will you communicate this message?

• Data Privacy and Security:  Cyber security controls and mitigations are central to the FTC requirements. Section 314.4 identifies the elements that must be included in an information security program. Key requirements include:

• An incident response plan. 

• The collection and storage of data must be secure.

• The data collected is limited to only what is necessary.

• Secure disposal of sensitive data is mandatory.. 

Challenges

Compliance in higher education is challenging, and unlike in corporations, centralized compliance and support for risk management controls are not always supported. Additionally, the cost of compliance will impact budgets and pressure, coupled with the strain on information technology team resources, will necessitate a new approach. Mitigating this risk will also have to go beyond looking at insurance. 

In my opinion, the best  method to address the increasingly complex regulatory environment will have to be multifaceted and involve multiple departments. 

Major changes

Valuing and promoting trust and transparency is paramount when it comes to students and families' understanding of the cost of tuition and the financial options available. Resources focused on clear communication regarding costs and tuition refunds should be dedicated to this area.

The regulatory environment is dynamic. In addition to the FTC, the Consumer Financial Protection Bureau (CFPB) is impacting higher education by ensuring financial products offered to students and families are fair and transparent.  

Colleges and universities will have to invest in staff training, new tools, bolster resources or hire third party experts to address these demands.

Implementing a robust governance, risk and compliance model and encouraging shared oversight may help improve controls and mitigate the risks of fines and penalties. 

Next steps:

In addition to enhanced cyber and data security measures and transparency, cross-functional collaboration is key to success.

• Conducting regular strategic enterprise-wide risk assessments to identify emerging threats can also help to avoid non-compliance.  

• Record retention is critical. Having a centralized and well-defined plan will be integral in the event of a regulatory investigation or audit. 

• Supporting robust risk management practices including a thorough review of third party vendors and their insurance, should be part of your toolkit. 

Final thoughts:

To better protect students, avoid fines and damage to reputation, it is imperative that the Financial Aid Office, Registrar, Administration, IT, Risk Management, Procurement, Legal, HR, Audit, and Compliance partner to manage the increasingly complex regulatory landscape.

By practicing enterprise risk management, embedding a culture of transparency and accountability, colleges and universities can rise to the challenges of new regulations and maintain financial resilience.