—
The Department of Education (Department) is sharing the following best practices for institutions to consider as they work to prevent fraud in the nation’s federal student assistance programs; protect students, parents, and borrowers; and safeguard Title IV funds on behalf of taxpayers. These practices are not exhaustive and do not replace existing statutory or regulatory requirements. Rather, they reflect concrete, operational steps institutions are using to identify potential fraud earlier in the financial aid lifecycle, prevent improper disbursements, and coordinate action across offices.
On April 26, 2026, Federal Student Aid (FSA) implemented real-time identity fraud detection capability within the Free Application for Federal Student Aid (FAFSA®) form. Using technology from a leading financial services firm, FSA is screening and assessing risk on every FAFSA form as it is being completed, creating an automated, streamlined process that occurs in real-time. This approach allows legitimate students to proceed through the FAFSA process quickly, while requiring a small portion of applicants to complete additional steps to confirm their identity.
As described in the April 15, 2026, Electronic Announcement (APP-26-03) and June 6, 2025, Electronic Announcement (APP-25-16), institutions also have an important and significant role to play in conducting identity verification. Additionally, under 34 CFR 668.16(f), an institution must administer Title IV programs with adequate internal controls to prevent errors, fraud, or mismanagement of federal student aid funds. Institutions also must refer credible information indicating fraud or other criminal misconduct to the Department’s Office of Inspector General (OIG). See, for example, 34 CFR 668.16(g).
Institutions should embrace the principle that fraud prevention is not only a federal financial aid function but a core component of an institution’s responsibilities under Title IV of the Higher Education Act of 1965. Consistent with that approach and past guidance, the Department is sharing the following best practices for institutions of higher education to consider as they work proactively to prevent fraud.
-
Use account holds aggressively when risk indicators appear
A strong common practice among institutions is to place immediate holds on accounts when suspicious activity is identified. For example:
-
Macomb Community College (Macomb) states that an “identity verification hold” can prevent both registration and financial aid disbursement, while a case is being reviewed;
-
University of Maryland Global Campus (UMGC) similarly places a hold that prohibits registration, awarding and disbursement of aid, and credit balance refunds during additional review; and
-
Harper College states that awarded aid is held until a student’s identity is verified.
Institutions may want to establish a written protocol, and work with technology systems to integrate, that automatically triggers holds when certain indicators are present, such as suspicious identity documents, inconsistent demographic data, unusual address changes, conflicting (FAFSA®) submissions, suspicious refund requests, or credible reports from another office. For example, Empire State University’s Red Flag policy is a useful example of listing specific “red flags” and corresponding responses, including denying account access until identity is established and refusing to release refund checks when identity concerns remain unresolved.
-
-
Require layered identity verification for higher-risk cases
Institutions that appear most prepared to combat fraud are not relying on a single document. For example:
-
George Washington University’s (GWU) policy describes preferred in-person verification using a valid, unexpired government-issued photo ID with the reviewing official documenting the review date and their name/title. GWU’s policy also allows secure video-call verification for students who cannot appear in person, with the institution retaining a copy or screenshot of the ID and documenting the date and reviewer;
-
UMGC’s additional-review process may require a government-issued photo ID, a live self-photograph, a notarized form, address verification, a birth certificate, and a signed Social Security card; and
-
Macomb lists a similarly layered set of possible documentation, including tax returns, bank statements, prior transcripts, high school records, proof of residency, passport, birth certificate, and Social Security card.
A useful practice for institutions is to define tiers of review. For lower-risk cases, an institution might resolve the issue with standard verification or a single secure identity step. For higher-risk cases, institutions may wish to require multiple corroborating documents and, where appropriate, in-person or live remote verification before either enrollment activity continues or any Title IV funds or credit balance refunds are released. The public examples above suggest that layered verification works best when tied to an account hold that remains in place until the review is complete.
-
-
Treat conflicting information as a campuswide responsibility
Institutions should ensure that staff beyond the financial aid office know how and what to escalate. FSA’s guidance states that conflicting information can arise from admissions, the registrar, academic affairs, and other offices, and that institutions must resolve discrepancies before disbursing aid. Institutions are already taking action. For example:
-
Delgado Community College’s policy specifically directs admissions and other departments to notify the Student Financial Assistance Office immediately when fraudulent documents are submitted because of the potential Title IV impact;terminated; and
-
Harper College publicly describes a process in which the Student Conduct Office, registrar, and campus police compile fraud cases and help determine whether enrollment should be
-
The Ohio University and Elgin Community College both describe formal red flag/identity theft committees that include multiple offices, such as admissions, registrar, bursar, financial aid, information technology, internal audit, student affairs, and legal or finance leadership.
As a practical matter, institutions may wish to create a simple escalation channel and shared case process for admissions, the registrar, bursar/student accounts, academic affairs, conduct, information security, and campus police.
-
-
Check attendance and academic engagement before refunds go out
One of the clearest operational controls is linking disbursement and refund activity to real attendance or academic engagement. Some institutions have implemented policies that help protect Title IV funds before they are issued to students. For example:
-
Nevada State University’s policy directs faculty to verify attendance through its faculty system and directs the cashier’s office, before issuing student refunds, to run customized queries to identify suspected fraudulent activity and hold the refund if concerns are found;
-
Colorado Mountain College notes that students dropped as “no-show” may lose aid; and
-
College of Eastern Idaho states that, where aid is not ready for the first disbursement, it confirms attendance in all courses during the first 10 days before releasing funds.
For institutions looking for practical steps, FSA suggests at least three controls:
-
Timely instructor reporting of no-shows or lack of academically related activity.
-
A pre-refund review of students with suspicious indicators.
-
Coordination between financial aid and disbursement vendors so credit balance refunds are not released automatically when attendance or identity concerns are unresolved.
These controls are especially important in online and short-term enrollment environments, where fraudulent actors may try to secure a refund before being identified.
-
-
Use unusual enrollment history and transfer patterns as risk indicators
Institutions should pay particular attention to enrollment patterns that suggest an applicant may be attempting to obtain a credit balance refund rather than pursue academic credit.
-
The University of Arizona states plainly that its review of unusual enrollment history (UEH) is intended to determine whether a student enrolled at multiple institutions is “solely to obtain a credit balance/refund payment.”
-
Montgomery County Community College requires students flagged for UEH to submit a form plus transcripts or grade reports from prior institutions, and then reviews National Student Loan Data System (NSLDS®) history and supporting documentation.
Institutions may wish to broaden this lens beyond formal UEH flags; institutions have authority to review records when they suspect incorrect information or fraud. Institutions should consider whether repeated non-completion, repeated withdrawals after aid disbursement, and/or patterns of multiple recent enrollments with little or no academic credit warrant additional scrutiny before future disbursements.
-
-
Strengthen process for reviewing subsequent Institutional Student Information Records (ISIRs) and post-disbursement discrepancies
Fraud prevention does not end once aid is awarded. The Federal Student Aid Handbook (FSA Handbook) explains that institutions generally must review subsequent transactions during the processing year, and that—if conflicting information is discovered after disbursement—the institution must reconcile it and take appropriate action, including returning funds when necessary.
-
University of Arkansas for Medical Sciences provides a practical example: When a student is selected on a later ISIR after packaging or disbursement, it places holds on undisbursed aid and on future aid until verification is complete.
-
Northern Virgina Community College likewise states that conflicting information must be resolved even if Title IV grants or loans have already been disbursed.
Institutions should, therefore, ensure that later-arriving ISIRs, NSLDS changes, address changes, unusual account activity, and reports from other offices are routed into a review queue that can stop additional aid or refunds. An institution that only checks for risk at initial packaging is likely to miss later-developing fraud indicators.
-
-
Build a formal red-flags program and train staff
Several institutions publicly describe structured “Red Flag” or identity theft prevention programs.
-
Elgin Community College’s program identifies, detects, responds to, and periodically updates risks and provides for staff training.
-
Ohio University similarly describes a program administrator, a cross-functional committee, staff training for employees who handle covered accounts or identifying information, requirements for vendors/service providers, and periodic program updates as fraud methods change.
-
Institutions that do not yet have such a program may want to create a written document that identifies common red flags, assigns office responsibilities, specifies hold authorities, and sets timelines for outreach, escalation, and resolution. Institutions should also train front-line staff—especially in admissions, one-stop/student services, registrar, bursar, call centers, and online program support—to recognize suspicious behavior and know when to escalate a case.
-
Protect refund processes and account-change requests
Fraud prevention should extend to the refund stage, not just the application stage on the FAFSA. Empire State University’s policy includes several practical controls:
-
Do not release a refund check until the student’s identity is established through acceptable means.
-
Do not provide card information over the phone.
-
Require verification for suspicious address changes.
-
Require authorization on file before disclosing account information to third parties.
Nevada State’s policy also directs its cashier’s office to run customized pre-refund queries and hold suspect refunds.
Institutions may want to review whether current student account and refund workflows make it too easy to redirect funds after a fraudulent enrollment is established. Basic controls—such as added review of alternate-address refund requests, delayed release of checks or electronic refunds when red flags are present, and verification before sensitive account changes—can materially reduce loss exposure.
-
-
Refer credible fraud information to the Department’s OIG and document the basis
Federal regulations require institutions to refer credible information indicating that an applicant may have engaged in fraud or other criminal misconduct in connection with a Title IV application to the Department’s OIG. The regulation gives examples including false claims of independent status, false claims of citizenship, use of false identities, forged signatures or certifications, and false statements of income. The FSA Handbook reiterates that, if an institution suspects a student, employee, or other individual misreported information or altered documents to fraudulently obtain federal funds, it must report its suspicions and provide evidence to the Department’s OIG. Institutions do not need to prove a case before referring it, and the OIG has a process to reach out to institutions if additional documentation and information is needed.
Consistently applying proven best practices and adapting to the ever-changing world of fraud will help institutions of higher education prevent fraud, protect students, and safeguard federal student aid funds. FSA stands ready to continue to work with institutions on this important initiative.
The Department’s inclusion of policies adopted by other institutions in this EA does not constitute an endorsement or approval of any specific policy, nor does it represent a determination that adoption of such policies will preclude or absolve an institution of any Title IV findings. These materials are provided solely as illustrative examples of practices that institutions may consider when developing and implementing fraud prevention efforts.
Links provided in this EA are current as of the date of publication.