SECTION 1. Short title.

SEC. 2. Criminal penalties.

SEC. 3. Loan counseling.

(1) in clause (viii), by striking “and” after the semicolon; and

(2) by adding at the end the following:

“(x) an explanation that—

“(I) the borrower may be contacted during the repayment period by third-party student debt relief companies;

“(II) the borrower should use caution when dealing with those companies; and

“(III) the services that those companies typically provide are already offered to borrowers free of charge through the Department or the borrower's servicer; and”.

SEC. 4. Prevention of improper access.

(1) by redesignating subsections (e) through (h) as subsections (f) through (i), respectively;

(2) in subsection (d)—

(A) in paragraph (5)(C), by striking “and” after the semicolon;

(B) in paragraph (6)(C), by striking the period at the end and inserting “; and”; and

(C) by adding at the end the following:

“(7) preventing access to the data system and any other system used to administer a program under this title by any person or entity for the purpose of assisting a student in managing loan repayment or applying for any repayment plan, consolidation loan, or other benefit authorized by this title, unless such access meets the requirements described in subsection (e).”;

(3) by inserting after subsection (d) the following:

“(e) Requirements for third-Party data system access.—

“(1) IN GENERAL.—As provided in paragraph (7) of subsection (d), an authorized person or entity described in paragraph (2) may access the data system and any other system used to administer a program under this title if that access—

“(A) is in compliance with terms of service, information security standards, and a code of conduct which shall be established by the Secretary and published in the Federal Register;

“(B) is obtained using an access device (as defined in section 1029(e)(1) of title 18, United States Code) issued by the Secretary to the authorized person or entity; and

“(C) is obtained without using any access device (as defined in section 1029(e)(1) of title 18, United States Code) issued by the Secretary to a student, borrower, or parent.

“(2) AUTHORIZED PERSON OR ENTITY.—An authorized person or entity described in this paragraph means—

“(A) a guaranty agency, eligible lender, or eligible institution, or a third-party organization acting on behalf of a guaranty agency, eligible lender, or eligible institution, that is in compliance with applicable Federal law (including regulations and guidance); or

“(B) a licensed attorney representing a student, borrower, or parent, or another individual who works for a Federal, State, local, or Tribal government or agency, or for a nonprofit organization, providing financial or student loan repayment counseling to a student, borrower, or parent, if—

“(i) that attorney or other individual has never engaged in unfair, deceptive, or abusive practices, as determined by the Secretary;

“(ii) that attorney or other individual does not work for an entity that has engaged in unfair, deceptive, or abusive practices (including an entity that is owned or operated by a person or entity that engaged in such practices), as determined by the Secretary;

“(iii) system access is provided only through a separate point of entry; and

“(iv) the attorney or other individual has consent from the relevant student, borrower, or parent to access the system.”; and

(4) in subsection (f)(1), as redesignated by paragraph (1)—

(A) in subparagraph (A), by striking “student and parent” and inserting “student, borrower, and parent”;

(B) by redesignating subparagraphs (C) and (D) as subparagraphs (D) and (E), respectively;

(C) by inserting after subparagraph (B) the following:

“(C) the reduction in improper data system access as described in subsection (d)(7);”; and

(D) by striking subparagraph (E), as redesignated by subparagraph (B), and inserting the following:

“(E) any protocols, codes of conduct, terms of service, or information security standards developed under paragraphs (6) or (7) of subsection (d) during the preceding fiscal year.”.

SEC. 5. Agency prevention and detection.

“(C) Taking action to prevent and address the improper use of access devices, as described in section 485B(d)(7), including by—

“(i) detecting common patterns of improper use of any system that processes payments on Federal Direct Loans or other Department information technology systems;

“(ii) maintaining a reporting system for contractors involved in the processing of payments on Federal Direct Loans in order to allow those contractors to alert the Secretary of potentially improper use of Department information technology systems;

“(iii) proactively contacting Federal student loan borrowers whose Federal student loan accounts demonstrate a likelihood of improper use in order to warn those borrowers of suspicious activity or potential fraud regarding their Federal student loan accounts; and

“(iv) providing clear and simple disclosures in communications with borrowers who are applying for or requesting assistance with Federal Direct Loan programs (including assistance or applications regarding income-driven repayment, forbearance, deferment, consolidation, rehabilitation, cancellation, and forgiveness) to ensure that borrowers are aware that the Department will never require borrowers to pay for such assistance or applications.”.

SEC. 6. Effective date.