Case Study


By Dr. Mark Sarver, Chief Behaviorist, Biometric Signature ID and Former CEO of EDUKAN


The findings of the audit, which began more than four years ago, were not a surprise to most observers.
That’s because the inspector general relied on a 1992 federal law that defines aid eligibility for distance education programs, which many have said poses a problem for WGU, some other competency-based programs, and possibly online education writ large.
The US Department of Education’s Office of Inspector General  ruled today that Western Governors University was out of compliance with Title IV financial aid rules, especially the “regular and substantive interaction” provisions that Van Davis (Blackboard) and Russ Poulin (WCET) outlined last year. Their findings include a recommendation for returning Title IV funds described below:
“From the OIG- We concluded that Western Governors University did not comply with the institutional eligibility requirement that limits the percentage of regular students who may enroll in correspondence courses.5 Therefore, the Department should require the school to return the $712,670,616 in Title IV funds it received from July 1, 2014, through June 30, 2016, and any additional funds it received after June 30, 2016.”
Several issues were the highlight of the audit report:
1.   Regular and substantive interaction issue: The audit report said most courses at WGU do not meet the distance education requirement because they were not designed for regular and substantive interaction between students and faculty members. Those courses instead should have been labeled as correspondence courses, according to the inspector general.
Under the law, a college is not eligible to receive federal financial aid if more than half of its courses are offered via correspondence or if most of its students are enrolled in correspondence courses. The inspector general’s audit report said 62 percent (37,899) of the 61,180 students who were enrolled at WGU in 2014 took at least one of 69 courses (among 102 courses in the university’s three largest academic programs) that failed to meet the distance education requirements.
None of these 69 courses could reasonably be considered as providing regular and substantive interaction between students and instructors, the key requirement to be considered a course offered through distance education,” according to the report. “Therefore, Western Governors University became ineligible to participate in the Title IV programs as of June 30, 2014.”
2.   Student attendance issue: Here’s what the OIG said about this issue that also affects Title IV funding eligibility:
“We also concluded that the school did not always confirm that students started attendance in the courses on which their eligibility was based before disbursing Pell funds on or after the first day of a payment period. By not confirming attendance before disbursing Pell funds, the school
BioMetric Signature ID 3
increased the risk that it would disburse the funds to students who were not academically active during the payment period”
Western Governors University considered the date of academic activity verification (AAV) to be each student’s first day of attendance and disbursed Pell funds once AAV occurred. The date of AAV should not have automatically qualified as a day of academic attendance for Title IV purposes. AAV was the process to select courses or register for courses.
“According to 34 C.F.R. § 668.21(a), if a student does not begin attendance in a payment period, the school must return all Title IV funds that were credited to the student’s account for that payment period.  Therefore, if a student does not start attendance in the classes on which his or her eligibility was based and only participates in AAV during the payment period, the school should be returning all Title IV funds disbursed to the student for the payment period”.
3.   `SEC. 102. DEFINITION OF INSTITUTION OF HIGHER EDUCATION FOR PURPOSES OF TITLE IV PROGRAMS. `(3) LIMITATIONS BASED ON COURSE OF STUDY OR ENROLLMENT- An institution shall not be considered to meet the definition of an institution of higher education in paragraph (1) if such institution--
`(A) offers more than 50 percent of such institution's courses by correspondence, unless the institution is an institution that meets the definition in section 521(4)(C) of the Carl D. Perkins Vocational and Applied Technology Education Act;
`(B) enrolls 50 percent or more of the institution's students in correspondence courses, unless the institution is an institution that meets the definition in such section, except that the Secretary, at the request of such institution, may waive the applicability of this subparagraph to such institution for good cause, as determined by the Secretary in the case of an institution of higher education that provides a 2- or 4-year program of instruction (or both) for which the institution awards an associate or baccalaureate degree, respectively;
`(C) has a student enrollment in which more than 25 percent of the students are incarcerated, except that the Secretary may waive the limitation contained in this subparagraph for a nonprofit institution that provides a 2- or 4-year program of instruction (or both) for which the institution awards a bachelor's degree, or an associate's degree or a postsecondary diploma, respectively; or
`(D) has a student enrollment in which more than 50 percent of the students do not have a secondary school diploma or its recognized equivalent, and does not provide a 2- or 4-year program of instruction (or both) for which the institution awards a bachelor's degree or an associate's degree, respectively, except that the Secretary may waive the limitation contained in this subparagraph if a nonprofit institution demonstrates to the satisfaction of the Secretary that the institution exceeds such limitation because the institution serves, through contracts with Federal, State, or local government agencies, significant numbers of students who do not have a secondary school diploma or its recognized equivalent.
BioMetric Signature ID 4
Why was WGU audited: The audit report is primarily based on the OIG’s interpretation of a provision of the Higher Education Act enacted in 1992 defining requirements for interaction between faculty and students in distance learning programs. The OIG used its definition of “faculty” to find that WGU faculty did not provide the required “regular and substantive interaction” with WGU’s students.
Audit Results: The Office of Inspector General said the U.S. Department of Education should require WGU to return $713 million in federal aid it received during the two years before July of last year, as well as any federal aid it received since then.
Additionally, the  final audit report, issued, also said the nonprofit university, which enrolls 83,000 students, should be ineligible to receive any more federal aid payments.
Selected Observers React: Supporters of competency-based education said the federal government should update its regular-and- substantive requirement, but in a way that might encourage fraudulent, low-quality programs who can take advantage of students.
In an excerpt from a recent WCET blog where experts weighed in including Deb Bushway Ph.D current provost at Northwestern Health Sciences University who also worked for Capella University, the University of Wisconsin Extension and as an adviser to the Education Department.
“The inspector general is clearly following the letter of the law,” Bushway said, adding that the report was not a regulatory overextension. But she also called it “more evidence that the law needs to be changed.”
Pulling the regular-and-substantive language completely, however, which some advocates are quietly pushing for, would be a mistake, said Bushway. “That would invite bad players into the field and threaten the reputation of competency-based education,” she said.
Instead, Bushway and others call for a two-pronged solution, with a fix that would protect WGU and other competency-based programs in the short term while Congress revisits the law, perhaps as part of the reauthorization of the Higher Education Act.
Recommendation: Regardless of who wins in this conflict, all points are converging on more DOE/OIG oversight and enforcement. The DOE and OIG have shown they are ready to take on some large institutions, (examples, ITT, Corinthian) for failure to comply with their rules. Since there will be a loser in this latest attempt, enforcement is expected to increase.
Some of the following issues will undoubtedly be under enforcement with resulting accreditation and Title IV eligibility at stake. My recommendation is to use our multimedia approach to inform our clients and potential clients that we offer a budget easy solution to overcome these pertinent issues.
BioMetric Signature ID 5
• Regular and substantive interaction – Institutions will need to demonstrate they have a system to both verify student ID and then verify that student’s attendance at one of 8 identified “educational activities” that is initiated by the instructor o BSI solves this issue with the use of its Academic attendance report that captures computer-assisted instruction or other educational activities throughout the course. o This report can also be used in WGU’s case to comply with to 34 C.F.R. § 668.21(a), to ensure the student remains eligible for Title IV funds (see issue # 2 in this document)
• At some point the huge burden of “improper payments” from Pell grants and other FSA will be focused on. This fraud is now over $3B, is under congressional oversight and is not going away. BSI is working with selected members of the federal Educational Committee to use our forensic reports to capture fraudulent students. Our clients using BioSig-ID have significant advantage and head start in reducing their own FSA fraud by using our reports to identify and stop payments to fraudsters
• The OIG has issued another Final Audit Report ( to enforce student ID verification to enable continued Title IV funding. Institutions who do not have a process in place for student ID verification are at risk of being cut off from FSA including military and Title IV o BSI offers compliance with the DOE’s and OIG’s regulations on the processes required to ID students and measure them throughout the course
• On the edge institutions with the 50% rule, BSI can quickly offer a solution to help capture and monitor a student ID verification system demonstrating faculty interaction.
Additional Notes: It’s naïve to assume your college has not been affected by fraud. The growth of online education has brought a wave of what’s referred to as Pell Runners, in reference to the federal student aid program. Online classes make it easier than ever before to apply for assistance, register with a college, take the money and never attend classes.
The number of potential fraud recipients increased 82 percent between 2009 and 2012 according to an Inspector General report for the U.S. Department of Education. These so-called students stole an estimated $187 million in federal aid in 2012 alone.
Because fraud usually involves federal (not institutional) funds that are funneled through the college or university, it often occurs under the radar. If allowed to occur for a prolonged period of time, it results in less access to aid (and access to courses) for legitimate students and potentially affects an institution’s default rate.
Catching fraud can take a lot of staff time and financial resources, but technology can simplify the process. As an example, BioSig-ID allows institutions to track the IP addresses of applicants and to monitor suspicious login patterns. These patterns include multiple accounts logging in from the same IP address or accounts with multiple login failures, too many password resets and other behaviors that just don’t hold up. For example a student who lives in Baltimore and submits all assignments through an IP address in Baltimore, except quizzes and exams, which are submitted through an IP address in Houston. Don’t think so.
With BioSig-ID, we do all of the grunt work for you. We find the needle in the haystack and allow you to focus on what’s really important. Teaching.
To read more on how to protect yourself go to protect-your-school-from-student-loan-fraud-this-year
- Dr. Mark Sarver

speaker at podiumGDPR Compliance Overview 


A look at the EU’s latest General Data Protection directive (GDPR) and the new PCI DSS and how BioSig-ID meets regulatory statutes to keep you in compliance


By Jeff Maynard, Founder, President and CEO, Biometric Signature ID


A new EU (European Union) compliance regulation and the new PCI DSS (Payment Card Industry Data Security Standards) will redefine user privacy within Europe and beyond. The General Data Protection Regulation (GDPR) will have a far-reaching impact for organizations throughout the world. 

GDPR is intended to broadly and conclusively provide data privacy and security protection for residents of the EU. It becomes effective May 25, 2018. 

The GDPR is binding on all 28 EU member states and will immediately repeal previous data regulations, including the 1995 EU Data Protection Directive. The GDPR has a wider reach and broader scope than the EU Data Protection Directive. The GDPR can, in many cases, apply to U.S. higher education institutions and companies if those entities control or process data about residents of the EU. 


What GDPR Covers


The GDPR imposes a variety of new requirements that organizations must follow, regarding:


·         Data security practices

·         Personal data usage and privacy restrictions

·         Data breach reporting requirements

·         Personal data consent collection requirements


Breach Responsibilities under GDPR


If your organization suffers a data breach, under the new EU compliance standard, the following may apply depending on the severity of the breach:


·         Organizations must notify the local data protection authority and potentially the owners of the breached records

·         Your organization could be fined up to 4% of global turnover or €20 million



Exceptions to the Rule

The GDPR does provide exceptions based on whether the appropriate security controls are deployed within the organizations.  For example, a breached organization that has rendered the data unintelligible through encryption to any person who is not authorized to access the data, is not mandated to notify the affected record owners. 

The chances of being fined are also reduced if the organization can demonstrate a secure breach has taken place.



Addressing GDPR Compliance

To maintain GDPR compliance requirements, organizations may need to employ one or more different encryption methods within both their on-premises and cloud infrastructure environments, including the following:


·         Servers, including via file, application, database, and full disk virtual machine encryption

·         Storage, including through network-attached storage and storage area network encryption

·         Media, through disk encryption

·         Networks, for example through high-speed network encryption


Additionally, strong key management is required to not only protect the encrypted data, but to ensure the deletion of files to comply with a user’s “right to be forgotten.” 

Organizations must also provide a way to verify the legitimacy of user identities and transactions to prove compliance. It is critical that the security controls in place be demonstrable and auditable.

GDPR expects organizations to stay in control of their data to ensure that it is accessed and processed by authorized users only when appropriate. The control requirements are covered in Articles 5, 25, and 32.


Under GDPR, Organizations ARE REQUIRED TO


·         Only process data for authorized purposes

·         Ensure data accuracy and integrity

·         Minimize subjects’ identity exposure

·         Implement data security measures



Data Security Measures and Compliance

The GDPR does not specifically mandate two-factor and multifactor authentication solutions per se, however a careful read of the regulation leaves no doubt that if companies leave simple, static passwords in place and they are breached, auditors will come for them.

This threat can be prevented with multi-factor authentication, the first line of defense in any scenario. Strong authentication controls which users have access to the network and the resources within. By assigning credentials to individuals authenticated with multi-factor solutions, organizations can track access to resources to monitor internal risks.

Multi-factor authentication also makes it more difficult for unauthorized users to access sensitive resources. For known and unknown threats, multi-factor authentication raises the barriers to data access making it easier for an organization to stay in control of their data.

Unlike prior laws, the GDPR takes the position that residents of the EU should not be deprived of security and privacy protections solely because a business or organization that targets those residents is located elsewhere (outside the EU). This provision brings companies throughout the world and the United States into the picture.

It’s important to note that no single solution will make an organization GDPR compliant. The regulation is too broad – covering everything from governance to contractual obligations. However, deploying measures such as MFA will go a long way to maintaining best practices and mitigating future data breaches.


BioSig-ID and GDPR


Biometric Signature ID’s state-of-the-art authentication system meets the litmus test put forth by the GDPR. Not only is our BioSig-ID™ MFA biometric solution the only one of its kind, we provide all of the necessary forensics and reporting that needed to accurately maintain sensitive personal information and respond to incoming threats in real time.

BioSig-ID’s ability to revoke and replace credentialing at any time provides the only privacy sensitive biometric solution for GDPR compliance. Unlike other biometrics that use static physical attributes for identity proofing, BioSig-ID merely captures a gesture – drawing a password – that can be changed and could not be used, if compromised, to steal a user’s identity.

In our global economy, most large companies are doing business in the EU or working with EU citizens. Cloud based BioSig-ID offers a simple solution to the complex demands of identity authentication, providing a high level of biometric assurance without the inherent risk of other biometrics.


Satisfies PCI DSS and meets the GDPR requirements

Both the PCI DSS and the GDPR aim to ensure organizations secure personal data. The PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers and service providers. It also applies to all other entities that store, process or transmit cardholder data or sensitive authentication data.

The GDPR focuses on European residents’ personal data. The important difference is that the GDPR is less prescriptive than the PCI DSS. The GDPR provides guidance on what needs protecting but does not provide a detailed action plan. Conversely, the PCI DSS details clearly what needs to be achieved and provides a clear methodology for securing cardholder data.


The PCI DSS as a tool to achieve GDPR compliance

The PCI DSS establishes a set of controls for keeping cardholder data secure, supported by a regulatory framework. If deployed to the rest of the business – without extending the cardholder data environment – these same controls and processes could provide organizations with a head start in meeting the sixth principle of the GDPR (integrity and confidentiality). This principle requires data controllers and processors to assess risk, implement appropriate security for the data concerned and, crucially, check on a regular basis that it is up to date and that controls to protect it are working effectively.

The first change to Requirement 8.3 in PCI DSS is the introduction of the term “multi-factor authentication” rather than the previous term “two-factor authentication”, as two or more factors may be used. By changing this terminology, two factors of authentication becomes the minimum requirement. Two factors has also meant in the past 2 similar factors (sic 2 of the same or multi-layer). Example you know a password and you are then asked ask a security question – BUT these are not multi-factor as described below. 

Multi-factor authentication requires the use of at least two of the three authentication factors as described in PCI DSS Requirement 8.2:

  • Something you know, such as a password, PIN or the answer to secret questions
  • Something you have, such as a token device or smartcard
  • Something you are, such as a biometric


A PCI breach is a GDPR breach

·         Under the GDPR, personal data “means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (Article 4, clause 1)

·         As defined in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms, cardholder data is, at a minimum, the full primary account number (PAN), but may also appear in the form of the full PAN plus one of the following: cardholder name, expiration date and/or service code

Where cardholder data includes any information that could be used to identify the individual, then it is personal data as defined by the GDPR. If that data is compromised in a data breach, the breached organization is likely to be liable under both the PCI DSS and the GDPR.

It’s important to note that all reporting and fines because of a data breach fall within the legalese of the GDPR code.


For a description of the industry-accepted principles and best practices for a MFA implementation, select this link. Information Supplement – Multi-Factor Authentication version 1.0


Multi-Factor Authentication -The New Frontier Of Virtual Security: Here’s Why

Hardly a day goes by where there’s not a report of a data breach, or someone’s personal information getting stolen. Despite many of our best efforts, data breaches are still a very real, very BIG problem. In 2017, 2 billion files were leaked as a result of data breaches and those are just the ones that were reported!

As you’re reading this you can be sure that hackers worldwide are continuing to look for ways to compromise valid credentials in order to access company networks and steal data. Ask most IT experts and you’ll hear the term Two-factor authentication (2FA). Unfortunately, 2FA is no longer a viable solution. There's no way to accurately verify a person’s identity, or gate access control to a device or computer. 2FA has become so obsolete and outdated, that according to new article by Tech Crunch, the National Institute of Standards and Technology (NIST) has called for the end of SMS two-factor authentication because all the security holes in cellular/LTE data communications.

So, what now? We know that pins and passwords are obsolete and with 2FA off the table, what do security experts recommend?

Luckily there's an answer. Current regulations like those set forth by the PCI Data Security Standard (PCI DSS) requires multi-factor authentication (MFA) to be implemented to access computers and systems that process payment transactions. What is MFA you might ask? MFA is currently the highest level of authentication in the market today. It provides a higher degree of identity assurance of individuals attempting to access resources such as personal devices, internet accessed accounts, or corporate workstations. MFA is when you select two from the following categories: something you are with something you know, or something you have, to defeat unauthorized users from gaining access into a system or device.

Most industries and regulatory bodies worldwide are moving towards the use of MFA because it’s effective at authenticating and validating credentials. Switching to MFA is fairly simple. Since something you are is always a biometric, start here, but you need to look at the use case. If you are trying to get into a building use a physical biometric like fingerprints. If you are trying to gate access to a computer or Internet accounts choose a behavioral based biometric. With these biometrics you really only have three options, gait (how you walk), keystroke (looks at the typing rhythm) and signature/gesture biometrics.

Gait is not suited for remote access and typing is limited by too many false positives, its limits on speed to complete, and use confined to certain devices only. Signature /gesture biometrics is the market leader and BioSig-ID is the only one with several issued patents and worldwide use. It requires no additional hardware or software downloads. It also comes with a robust forensic reporting tool that catches un-approved access and fraud. With nearly 12M uses in 95 countries, it has been rated top 10 MFA solution provider in 2018. You can try out the software and make your own biometric password at


Turn on the news, read an online article, or pick up a paper and chances are you’ll see a story about another data breach and its impact on a company’s bottom line. What you won’t typically see, are the number of records that were stolen, the types of records being hacked and perhaps most importantly, the effect it has on a company/industry beyond just the monetary value.

Since 2013 more than 9B personal credentials have been compromised giving cyber criminals an abundance of personally identifiable information to sell and/or use to commit fraud. 2017 was a particularly tough year for many large companies with more data stolen in the first six months than throughout the whole of 2016.

As technology evolves so does the sophistication, as well as the number of attempted data breaches. Yet many companies are adhering to the same outdated security protocols and software that landed them in hot water in the first place. All due to one thing… cost.

In a recent survey, Ponemon identified the average cost of a breach as $3.62 million in its 2017 Cost of Data Breach study. Many companies can’t see the forest for the trees and wind up getting fixated on the impact to their profit margins, but what about the indirect costs that are rarely discussed such as:

  • Legal Action taken by those person(s) affected
  • Physical damage to a company’s database, server, etc.
  • Reputational damage
  • Customer / Client retention
  • Federal Regulations / Fines
  • Criminal charges

As long as new technologies continue to emerge cyberattacks will continue to occur. The difference is as a company, do you continue to operate business as usual, or do you begin looking into proven solutions that move beyond pins and passwords and outdated two-factor authentication techniques?

If you choose the later, call us. Biometric Signature ID has a proven authentication solution with more than 1M individual users and 11M unique uses in 95 countries. With an accuracy rate that’s 3x better than the NIST guidelines for biometrics, we’ve helped put an end to fraud and re-written the way you use biometrics.

Lately there’s been quite a lot of buzz surrounding “student authentication” and what Universities and Colleges need to do to remain compliant. From the landmark case between WGU and the OIG, to the countless billions lost in 2017 alone to academic cheating and financial aid fraud, it’s clear that the time for change is now!

Recently the largest education accrediting agency in the U.S. passed new requirements for student ID authentication. The new regulation(s) stands to change the way institutions are validating / verifying student enrollment and is gaining traction amongst other accreditation agencies.

Under the previous student authentication guidelines, “any institution that offered distance, or correspondence education was required to verify that the student who registers for a course was the same student participating throughout the course. Verification methods deemed acceptable included pins and passwords, as well as proctored examinations.

Taking effect Jan. 2018, the new rules are:

“10.6: Student Authentication Guidelines"

a) An institution that offers distance or correspondence education must: Ensure that the student who registers in a distance, or correspondence education course or program is the same student who participates in and completes the course or program and receives the credit.

(1) A secure login and pass code: 

  • Can be shared amongst individuals and fraudsters
  • Are easily compromised
  • Has no way of securely or accurately verifying the user

(2) Proctored examinations:

  • Can't verify same student is doing course work
  • Students are finding ways to hack the system
  • Designed to catch cheaters only 

(3) New or other technologies and practices that are effective
      in verifying student identification such as BioSig-ID:

  • Integrated with LMS/No per use charge so ideal for continuous authentications
  • Verifies students throughout the course anytime, anywhere
  • Provides next-level forensics and auditing tools that keep you off the naughty list
    and in compliance with regional accreditors and the feds

With the new guideline(s) in place, pins and passcodes and proctored examinations ae no longer viable options, because of their failure to verify a student’s identity.

What schools are left with, is the only PROVEN solution to accurately identify and verify a student’s identity anytime, anywhere throughout a course. The writing is on the wall…

Proper authentication and compliance begins and ends with BioSig-ID the world’s first biometric password that you draw.


Recent Blogs