Main Nav

EDUCAUSE Comments: Financial Aid Fraud and Identity Verification

EDUCAUSE submitted comments last week in response to a U.S. Department of Education (ED) notice about ED’s intent to hold a negotiated rule-making process later this year on financial aid fraud in online/distance learning programs. We focused on the potential of InCommon and its joint effort with the Postsecondary Electronic Standards Council (PESC), a project called CommIT, to address the student identity verification concerns at the heart of the problem. How might CommIT serve in this capacity? Read on…

While financial aid issues don’t usually fall within the higher education IT policy space, this pending regulation-setting process comes on the heels of an ED inspector general’s (IG’s) report and “dear colleague letter” (DCL) in which IT-based approaches, such as IP and email address tracking of admissions applications and student participation in online learning activities, were featured prominently. These recommendations, made first in the IG’s report and later promoted to colleges and universities via the DCL, stem from the department’s concern about identity verification in online learning.

The question of how we know whether the person on the other end of an online interaction is who s/he says s/he is dates from the beginning of the Internet. The current issue derives directly from that gap. Over the last couple of years, fraud ring leaders have used valid identities culled from willing or duped ring participants to submit fraudulent admissions and financial aid applications for online programs. They have used those same identities to perpetuate their fraud by conducting just enough academic activity in online courses under the institutional credentials tied to them to trigger the release of financial aid awards. As institutions impacted by fraud rings—generally low-cost, open enrollment providers—looked for fraud indicators, the origination of multiple applications or multiple students’ online course activity from a single IP and/or email address emerged as a telling sign, hence the ED recommendations.

However, interest in online student identity verification arose at an even earlier point—during the 2008 Higher Education (Opportunity) Act reauthorization. At that time, Congress focused more on academic fraud rather than financial aid fraud, per se; i.e., how do institutions know that the person receiving credit for an online course is the person actually completing the coursework? Thus, the HEOA included a provision requiring accrediting bodies to confirm that institutions have processes for establishing “that a student registered for a distance education course is the same student that participates in, completes, and receives credit for the course” (HEOA Conf. Report, p. 136). The implementing regulations issued by ED confirmed that the secure login processes already in use qualified to fulfill the law’s requirements, mitigating fears that institutions might be forced to adopt expensive, hard-to-implement identity verification technologies or exam proctoring (although both were also mentioned as qualifying options).  (See also the ED DCL that provides a summary explanation of the regulations.) At the same time, the discussion around whether secure logins, as opposed to biometric technologies/applications, for example, were sufficient to verify student identity in online learning signaled that the debate on the need for identity verification and how best to meet it would continue.

With the financial aid fraud issue reigniting ED regulatory activity on identity verification, EDUCAUSE thought it important to submit comments in relation to the current rule-making that highlighted potential problems as well as options. We noted that sophisticated fraudsters would rapidly move to the use of proxy servers and dummy email addresses to undermine the value of IP and email address tracking, while institutions would still have to bear the costs of implementing and maintaining such measures. We also reiterated the point raised in relation to the earlier rule-making on identity verification that broadly affordable and effective verification technologies/applications have yet to emerge. We further discussed the difficulty that differential treatment of online students in relation to identity verification might pose to those students’ access to higher education, as well as the ability of colleges and universities to provide such access.

In contrast, EDUCAUSE highlighted the opportunity that federated identity management in the form of InCommon, when extended to students prior to their enrollment in college through CommIT, might play in affordably and effectively addressing the identity verification needs of both institutions and ED. Marrying PESC’s standards-setting functions in relation to the management and exchange of admissions data with InCommon’s federated identity management schema, CommIT is working to develop a framework and supporting technology-enabled processes to enable students to establish identity proofed online credentials for higher education as they are beginning to consider college, such as when they register to take the PSAT, SAT, or ACT. For students, this would have the benefit of allowing them to generate a single login for use across institutional admissions and financial aid processes as well as related third-party services, knowing that these credentials would follow them seamlessly into their college and alumni experiences. In turn, institutions would benefit by having a single set of credentials under which to organize the myriad of admissions and financial aid materials they may receive in relation to a given student, knowing that the credentials in question reflect appropriate trust relationships. And ED as well as students and institutions would benefit from the extent of student identity verification CommIT may conceivably enable.

Because CommIT credentials could be established at an early stage in a student’s pre-higher education experience, the probability of identity fraud in relation to the creation of those credentials would likely be greatly reduced. Also, the early stage at which CommIT credentials could be generated would allow for the development of a history of use that would provide a confirming context for verifying student identity moving forward. In this regard, CommIT representatives are working toward incorporating processes into the project that would allow CommIT credentials to achieve a level of identity assurance on par with that of the financial services industry. And all of this within an identity management framework developed by the higher education community for the higher education community, in full awareness of the needs and technical/resource constraints community members must have addressed to make the effort successful.

EDUCAUSE will continue to work with its member institutions and representatives, Internet2 and the InCommon federation, the CommIT project, and the higher education community in general to advance the discussion of identity verification with the U.S. Department of Education through the current regulatory process and beyond. In the meantime, we encourage members to get to know and to get involved in InCommon and CommIT as the community collectively tackles the challenges of identity verification in higher education.