Overview
Institutions of higher education frequently engage third-party service providers to support the development and delivery of online programs. These partnerships can enhance operational efficiency, expand technological and marketing capabilities, strengthen student engagement, and provide direct instructional or curricular support. When implemented responsibly, they enable institutions to reach new learners and improve the quality and accessibility of their offerings.
While there can be many benefits in forming these partnerships, they have also increasingly faced scrutiny from lawmakers and student-consumer advocacy organizations in recent years and can introduce a number of legal, regulatory, and reputational risks if appropriate precautions are not taken. This UPCEA Policy Matters: Primers and Insights resource was developed to help institutional leaders, program administrators, and compliance professionals identify and manage key risks involved with these partnerships. In addition, this resource shares institutional policy recommendations and practical guidance for responsible collaboration with third-party service providers operating in the online learning space.
Defining Third-Party Entities
Understanding how federal and accreditor requirements apply begins with defining the types of third-party entities involved:
- Third-Party Servicers (TPS): Entities that administer Title IV functions on behalf of an institution (e.g., financial aid processing, disbursement, default management). These are subject to federal regulations under 34 CFR 668.2 and 668.25 and must be reported to the U.S. Department of Education (ED) via the E-App system within 10 days of entering into a new contract, or significantly modifying an existing contract.
- Third-Party Providers (TPP): Entities that offer educational or operational services—such as online program managers (OPMs), curriculum developers, and student recruitment firms—that may not meet the federal definition of a TPS but nonetheless require institutional oversight.
The distinction is critical: While TPSs are more explicitly regulated by ED, TPPs may still trigger compliance obligations depending on the nature of their work. Institutions remain ultimately responsible for all Title IV functions and may be held jointly and severally liable for a servicer’s violations.
Federal Oversight and Regulatory Scrutiny
Recent ED guidance and policy initiatives have placed renewed focus on the role of third parties in higher education, particularly OPMs and bundled-service models that combine marketing with recruitment or instruction. After widespread criticism and a lawsuit, implementation of an expanded TPS definition was rescinded, although regulatory uncertainty persists. Federal interest centers on whether third-party arrangements unduly influence core academic or financial operations, blur institutional accountability, or enable incentive-based recruitment practices and tuition-sharing, which may violate the federal incentive compensation ban.
Institutions that rely on vendors for recruitment, course design, technology, student support, or financial aid–related services must evaluate whether those functions meet the TPS definition and, if so, report them accurately to ED. Misclassification or failure to report can lead to serious consequences, including program-review findings, financial liabilities, and/or the loss of Title IV eligibility. Proactive compliance—through contract reviews, accurate classification, and robust monitoring—protects institutional standing and preserves student access to federal aid.
Common Compliance Risks
Common compliance risks in third-party partnerships typically emerge when outsourced activities dilute institutional accountability, operate without sufficient institutional oversight, or fall out of alignment with federal, state, or accreditor expectations. The table below outlines several key risk areas and shares examples of how these risks can materialize.
| Risk Area | Concerns and Examples |
| Revenue Sharing | Violations of the incentive-compensation ban when recruitment is tied to enrollment outcomes. |
| Inadequate Disclosures | Misrepresentation of program costs, outcomes, or accreditation by vendors. |
| FERPA & Data Privacy | Unauthorized data access or sharing of student information. |
| TPS Misclassification | Failure to identify and report a qualifying third-party servicer. |
| Accreditation Misalignment | Outsourcing curriculum or instruction without accreditor notification or approval. |
| Marketing | ED published a Dear Colleague Letter outlining common legal and regulatory risk areas involved with working with TPPs in January 2025, with an emphasis on avoiding misrepresentations with regard to these partnerships. |
Other potential risk areas in a TPP include accessibility compliance, intellectual property rights, sanctions compliance (OFAC restrictions), and state or international data protection obligations. Each contract should address financial terms, brand use, amendment and exit protocols, subcontracting, and consumer protection expectations.
Reputational Risks
While partnerships are often critical to developing and delivering online and continuing education programs, contracting with a TPP or TPS can also carry significant reputational implications. The table below highlights several areas of concern and shares real-world examples
| Risk Area | Concerns and Examples |
| Perception of Outsourcing Core Academic Functions | Excessive reliance on vendors may raise concerns among faculty, accreditors, and students about institutional autonomy. Students, in particular, may feel deceived if major parts of their program are outsourced, which can lead to consumer protection complaints and lawsuits. |
| Negative Media Attention | Controversies involving a partner (e.g., predatory recruitment practices or concerns over third-party instructors) can be covered by local and national media, amplifying reputational damage. |
| Regulatory Scrutiny | Partnerships with providers under investigation by the ED, the U.S. Consumer Financial Protection Bureau, Federal Trade Commission, or state attorneys general can signal weak governance and a lack of due diligence on the part of the institution. |
| Mission Misalignment | Service provider models that emphasize profit over access and equity can undermine institutional values, particularly for public and nonprofit institutions. |
| Attention from Lawmakers | Lawmakers increasingly question opaque or tuition-sharing OPM arrangements. Based on a request from members of the U.S. Congress, this Government Accountability Office report from 2022 outlines concerns and provides policy recommendations. |
Other potential risk areas in a TPP include accessibility compliance, intellectual property rights, sanctions compliance (OFAC restrictions), and state or international data protection obligations. Each contract should address financial terms, brand use, amendment and exit protocols, subcontracting, and consumer protection expectations.
Institutional Oversight Responsibilities
Federal regulations (34 CFR § 668.25 (c)(3)) make clear that institutions and their servicers share joint and several liability for Title IV compliance. Outsourcing does not transfer accountability. To manage this responsibility, institutions should adopt a centralized oversight model with the following components:
- Governance Structure: Assign a lead office—such as General Counsel, Compliance, or Financial Aid in partnership with Academic Affairs—to maintain a registry of all TPP/TPS contracts. Establish a committee of institutional/programmatic stakeholders to regularly review all third-party relationships.
- Executive Sponsorship: Engage senior leadership (Provost, CFO) to reinforce accountability. Provide institutional leaders regular reports on third-party arrangements and their outcomes.
- Pre-Contract Review: Evaluate whether proposed services meet TPS definitions, confirm vendor eligibility, and assess associated risks. Create a formal checklist or TPS approval process before any new vendor contract is signed.
- Contract Provisions: Include right-to-audit, termination clauses, prohibitions on subcontracting without approval, and explicit reaffirmation of Title IV responsibilities.
- Marketing & Communication Controls: Require institutional approval of all student-facing materials and compliance with federal misrepresentation standards (34 CFR §§ 668.71–75). This includes ensuring OPM/recruiter staff do not hold themselves out as institutional employees if they are not. Recent ED guidance warned schools that misrepresentation by OPM personnel (e.g. using an “.edu” email to seem like college staff) could result in loss of federal aid.
- Ongoing Monitoring: Conduct annual performance and compliance reviews, including technical, operational, and student-experience metrics. This could include reviewing a sample of their interactions with students for compliance, verifying they’re meeting contract standards (e.g. data security measures, no incentive compensation), etc. Also, require the TPS to provide their independent annual audit results to the institution (since TPS must get a compliance audit per 34 CFR 668.23 and 668.25).
- Training & Awareness: Educate boards, leadership, and contract managers on the institution’s non-delegable responsibilities.
Bottom line question: Does our institution have a formal policy on third-party contracts (outlining required reviews, approvals, and monitoring responsibilities)? If not, should we create one? Embedding these practices within policy and culture helps institutions manage partnerships responsibly while protecting students and federal interests.
Accreditor and State Considerations
Accreditor Requirements
Institutional accreditors require that institutions retain full control of academic quality and integrity. Most apply a 25% / 50% rule—notification if 25% or more of a program is outsourced; prior approval if 50% or more. Accreditors expect:
- Contracts affirm institutional control over curriculum, faculty, admissions, and assessment.
- Documented monitoring and evaluation of vendor performance.
- Clear communication to students that they are enrolled in the accredited institution, not the vendor.
Bottom line question: Have we informed our accreditor of each current partnership that involves instruction or support exceeding their notification threshold? Failure to notify or seek approval can jeopardize accreditation and raise concerns about governance.
State Requirements
Several states impose additional oversight for vendor arrangements, especially related to consumer protection and authorization. For example:
- Minnesota (Minn. Stat. § 136A.828, § 135A.195): Prohibits misleading advertising by institutions or their agents and—starting in 2025—bans new tuition-sharing contracts at public institutions unless approved by governing boards.
- Ohio (House Bill 96): Prohibits misleading advertising by institutions or their agents and includes contract disclosure requirements but does not ban tuition-sharing contracts.
- Other States: California, Maryland, New Jersey, and Illinois have introduced transparency or limitation bills on OPMs that, while not enacted, indicate growing legislative interest.
Institutions should ensure that contracts require vendor compliance with state laws, grant audit and termination rights, and preserve institutional control over all student-facing activities.
Key Recommendation
To operationalize the above, adopt a multi-level review process for all third-party agreements that includes:
- Federal compliance screening (TPS definitions and Title IV liability),
- Accreditor notification or approval checks,
- State authorization and consumer-protection review.
Bottom line question: Before signing any third-party contract, does our review process cover federal (TPS), accreditor, and state compliance checkpoints? Integrating these layers demonstrates comprehensive oversight and reinforces institutional accountability.
Preparing for the Future
The landscape for third-party oversight is evolving rapidly. ED’s interpretation of “third-party servicer,” coupled with expanding state and accreditor expectations, suggests that compliance obligations will continue to grow. Institutions should monitor federal rulemaking closely and anticipate that future definitions may extend to vendors offering AI-driven analytics, alternative-credential platforms, and experiential-learning placements.
To prepare, campuses should:
- Build flexibility into contracts:
- Including sunset clauses that require contract renewal every 2-3 years based on performance and regulatory shifts;
- Adding a regulatory-change clause that automatically triggers negotiation or modification if federal or state rules affecting TPP/TPS are revised;
- Implementing annual vendor compliance attestations, requiring vendors to confirm adherence to FERPA, accessibility standards, data-protection rules, and incentive compensation prohibitions;
- Creating an internal contract review workflow where legal, compliance, accessibility, IT security, and academic leadership must sign off before renewal.
- Inventory all vendor relationships and classify their compliance risk by:
- Maintaining a centralized vendor registry that logs services, data flows, contract owners, renewal dates, and risk tier;
- DEveloping a TPP/TPS classification rubric that evaluates factors like instructional involvement, student data access, recruitment roles, and financial structures;
- Using data maps that show what student information each vendor receives and for what purpose;
- Requiring a pre-procurement risk review before any new vendor is engaged.
- Strengthen institutional capacity for adaptive oversight and cross-departmental coordination by:
- Establishing a cross functional TPP/TPS oversight committee including compliance, IT security, legal, procurement, financial aid, accessibility, academic affairs, and institutional research;
- Building standard operating procedures for onboarding vendors, reviewing data flows, and monitoring instructional or recruitment related activity;
- Implementing periodic vendor audits such as data-protection checks or accessibility spot checks;
- Providing annual training for faculty and staff on TPP/TPS, responsibilities, and documentation expectations.
- Foster campus-wide understanding that vendors act as extensions of the institution by:
- Creating a campus guidance document translating federal rules into plain language;
- Requiring units using vendors to certify compliance responsibilities annually;
- Hosting briefing for academic leadership (i.e. deans, department chairs, etc.) on expectations for TPP/TPS relationships and institutional obligations;
- Embedding TPP/TPS oversight principles in academic governance, online program approval processes, and new program planning activities.
- Monitor rulemaking and the Federal Register for notices for regulatory changes on TPS, incentive compensation, or other related issues.
- Assign a regulatory liaison (or small team) responsible for tracking changes in regulations or emerging policies;
- Maintain a living log of regulatory updates with summaries and interpretations that can be shared campus wide;
- Submit institutional comments to ED when proposed rules affect online education, TPP/TPS definition, incentive compensation, or data privacy;
- Integrate rulemaking updates into leadership briefings and online program strategy meetings.
Bottom line question: How will we stay nimble and update our third-party partnership strategies in response to new regulations or emerging risks? Treating compliance as a continuous cycle—rather than a one-time contract negotiation—positions institutions to remain both credible and resilient in an era of increased regulatory attention.
History of Changes/Authorship
This guide was originally authored by Erika Swain of the University of Colorado Boulder, Ricky LaFosse of the University of Michigan, and Laura Hendley at Stevenson University with input by the UPCEA Policy Committee and Staff. It was first published and last updated on January 23, 2026.
Have a question about or suggestion for this resource? Contact us at [email protected].