Employers use background checks to protect their workforce, customers, and the business from risk. But the background check process is also an opportunity to protect candidates through Fair Credit Reporting Act (FCRA) compliance. 

FCRA compliance is required by law, but it also protects your organization from lawsuits and reputational damage. Learn more about FCRA background check compliance and the tools you need to navigate this process. 

1. What is the Fair Credit Reporting Act, and Why Does It Matter? 
2. FCRA Compliance Requirements for Background Checks 
3. The Costs of FCRA Non-Compliance 
4. 3 Common Pitfalls and Challenges of FCRA Compliance 
5. 4 Best Practices for FCRA Compliance With Background Check Requirements 

What is the Fair Credit Reporting Act, and Why Does It Matter? 

The FCRA is a federal law that regulates the collection, dissemination, and use of consumer information, including background checks. The law aims to ensure fairness, accuracy, and privacy in the use of consumer data. The Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB) regulate the FCRA. 

Background checks are considered to be consumer reports: 

• • The report is used to make decisions related to employment, housing, credit, or insurance.  

• • The report contains information related to a person’s credit, character, or reputation (among other things). 

When these and other criteria are met, the background check process must comply with the FCRA.  

Most employers source background check reports from consumer reporting agencies (CRAs). Under the FCRA, agencies must follow reasonable procedures to make sure that these reports are accurate. A trusted background screening partner, like Cisive, can help organizations verify the accuracy of this information.  

FCRA compliance is crucial for HR leaders, recruiters, and hiring managers for several reasons. Compliance protects the rights of job applicants by making sure that their personal information is handled responsibly and used only for legitimate purposes. Non-compliance can result in lawsuits, reputational damage, and regulatory penalties. 

FCRA Compliance Requirements for Background Checks 

The FCRA sets guidelines for asking for, using, and disposing of consumer credit reports. Explore the basic steps involved with FCRA compliance with background check processes. 

Obtain Consent From the Applicant 

FCRA requires employers to provide applicants with a clear and conspicuous disclosure that background checks will be conducted for employment purposes. This disclosure allows applicants to make informed decisions about their participation in the hiring process. 

Provide a consent/authorization form that outlines: 

• • • • The purpose of the background check: Generally, to screen for job-related factors that could influence employment eligibility. 
      • The type of information you’ll collect: This can include criminal records, employment eligibility, credit history, driving records and other items. 
      • How you’ll use such data to make a hiring decision: Explain why a failed report could exclude someone from a particular role. A healthcare facility won’t hire someone for a patient-facing role if they have a record of patient abuse, for instance. 

Collect written consent in a document separate from other application materials. The requirement for a clear and conspicuous disclosure should carry over to the consent form, so there is clarity for the applicant on what they’re consenting to when the background check is run. 

If you plan to run background checks throughout the person’s employment (an increasingly common practice in highly regulated sectors such as finance and healthcare), specify this intention in the consent/authorization form. Running a report without written authorization violates the FCRA and could amount to fraud, which candidates are encouraged to report to the FTC.  

In addition to gaining consent, the Consumer Financial Protection Bureau requires you to provide documents making people aware of their rights under FCRA in certain steps of the screening process. 

Adhere to Adverse Action Procedures 

The FCRA establishes guidelines for what employers should do when a background check leads to a decision not to hire an applicant. This is known as an adverse action. This process protects applicants by allowing them to address potential inaccuracies or discrepancies in background check reports. 

Adverse action procedures require employers to provide the applicant with a pre-adverse action notice. This notice informs the applicant that the background check results have raised concerns that may impact the hiring decision. The notice must include the background check report and a summary of their rights under FCRA, including the right to dispute the report’s accuracy. 

After a reasonable response period, employers must provide a final adverse action notice if the decision not to hire is upheld. This notice informs the applicant of the final decision. It also provides information on how to contact the CRA to dispute the report’s accuracy or ask for a free copy of the report within 60 days, and a summary of their rights under the FCRA needs to be included. 

State and local jurisdictions may have additional requirements that must be followed in the adverse action process. 

By adhering to these adverse action procedures, employers demonstrate their commitment to fairness and transparency in the hiring process. Affected applicants receive the opportunity to address potential inaccuracies, while employers demonstrate compliance with FCRA regulations. 

Follow Guidelines for Retaining and Disposing of Sensitive Information 

While the FTC doesn’t require employers to retain background check reports, other regulations do.  

The Equal Employment Opportunity Commission (EEOC), for instance, requires employers to maintain employment records for one year after their origination or one year after those records were used to make an adverse employment decision — whichever ‌comes later. If an employee departs voluntarily, you must retain their records for one year following their exit. If an applicant or employee files a discrimination charge against your organization, you must retain relevant records until the case gets resolved. 

Once the period for preserving records has passed, the FTC dictates how applicant or employee background reports should be securely disposed‌ of. Methods include shredding or burning paper documents and “disposing of electronic information so that it can't be read or reconstructed,” according to joint guidance from the EEOC and FTC. 

The Costs of FCRA Non-Compliance 

Non-compliance with FCRA requirements can expose organizations to lawsuits from job applicants or employees. The financial consequences can include actual damages, statutory damages, attorney fees, and even punitive damages. Legal battles can be costly and time-consuming. In fact, FCRA-related settlements cost companies more than $325 million over a 10-year period, CBS News reports.  

In addition to lawsuits from candidates and employees, employers are also subject to penalties from the FTC for non-compliance. 

The cost of non-compliance isn’t just financial: it can tarnish your reputation and generate negative media coverage. Reputational damage can have long-lasting effects on talent attraction and retention, as well as consumer trust. 

3 Common Pitfalls and Challenges of FCRA Compliance 

The first step to maintaining FCRA compliance is to diagnose where issues are most likely to occur. Here are three common risk areas for background screening.  

Inadequate Disclosure and Consent/Authorization Practices 

FCRA compliance depends on providing clear and conspicuous disclosures and obtaining consent/authorization. Something as simple as including the consent form among other application materials, for instance, can violate the FCRA requirement that you deliver the notice separately from other paperwork. 

To avoid this, ensure that disclosure notices and consent forms are separate and easily understandable. 

Failure to Follow Adverse Action Procedures 

Another challenge is not adhering to adverse action procedures outlined by FCRA. Employers must provide applicants with pre-adverse action notices, copies of background check reports, and a summary of their rights, such as being able to respond before a final adverse action decision.  

Inaccurate or Incomplete Background Check Reports 

Relying on inaccurate or incomplete background check reports can lead to non-compliance and potential harm to applicants. Regularly review and verify the information provided by CRAs. Promptly address discrepancies or errors to uphold the accuracy and fairness of the hiring process. 

As an employer, look for background screening partners that are accredited through the Professional Background Screening Association (PBSA). 

4 Best Practices for FCRA Compliance With Background Check Requirements 

Maintaining FCRA compliance requires intentional policies and processes. Follow these four best practices to improve your compliance and develop a fairer, more accurate background screening process. 

1. Develop a Written Policy for Background Checks 

Develop a comprehensive written policy that outlines the procedures, responsibilities, and guidelines for conducting background checks within your hiring process. Clear policies create consistency, regardless of who runs a background check. Make sure your policy aligns with FCRA requirements and is communicated to relevant stakeholders, including HR personnel, recruiters, and hiring managers. 

The written policy should define the purpose of background checks, what checks will be conducted, and what criteria trigger a background check. If certain roles require extensive background screening processes while others don’t, for example, note that in the policy. Also document when post-hire background checks will be conducted, and whether they are one-offs or on an ongoing basis. 

Your background check policy should also outline the steps involved in obtaining consent, providing disclosure and authorization forms, and following adverse action procedures.  

Not every employee at your company is necessarily governed by the same regulations. For example, Federal Deposit Insurance Corporation (FDIC) rules for background checks apply to a financial company’s hiring when those people handle sensitive consumer data and financial information. But those regulations likely wouldn’t apply to a marketing hire in the same organization. 

Depending on how widespread your organization is, you may be subject to a variety of local laws, in addition to FCRA. When designing a universal background check policy, a best practice is to incorporate the strictest regulations your organization is subject to so that you can maintain consistently without risking compliance. 

2. Select a Reliable Consumer Reporting Agency 

Choosing a reputable and reliable CRA is crucial for conducting accurate and compliant background checks. Evaluate their compliance with FCRA regulations, their track record in providing reliable reports, and their commitment to data security and privacy. Look for background screening vendors who are accredited members of the PBSA. 

Consider factors such as the CRA's reputation, industry experience, and customer reviews. Assess their data security measures, including encryption protocols, access controls, and secure storage practices. A reliable CRA should also have a robust process for verifying the accuracy and completeness of the information provided in their reports. 

3. Check the Accuracy and Completeness of Background Check Reports 

Regularly review your procedures for verifying the accuracy of background check information, including employment history, education credentials, and professional licenses. Promptly address discrepancies or errors that arise by working closely with your background screening partner. By being diligent about accuracy and completeness, employers maintain the integrity of the hiring process and avoid making decisions based on faulty or incomplete information. 

Generally, a trusted background screening partner will take the lead in this process. When looking for a partner, seek out an agency with a track record of accurate information. 

4. Safeguard Applicant Information and Data Privacy 

Data privacy is a critical aspect of FCRA compliance. Employers must implement appropriate security measures to protect applicant information from unauthorized access, use, or disclosure. Protecting data requires establishing secure systems and protocols for storing and transmitting background check reports. 

Make sure that applicant information is securely stored in encrypted databases or secure physical locations. Limit access to this information to authorized personnel, and implement strict access control. Establish policies and procedures for securely disposing of background check reports once they are no longer needed. 

Additionally, employers must comply with relevant data privacy regulations, such as the General Data Protection Regulation or the California Consumer Privacy Act. Regularly review and update data privacy policies and practices to ensure ongoing compliance with these regulations. 

By prioritizing data privacy and implementing robust security measures, you demonstrate your commitment to protecting applicant information and maintaining compliance with FCRA and applicable data privacy regulations.

Take FCRA Compliance to the Next Level 

In a world where data privacy and protection are paramount, FCRA compliance serves as a foundation for ethical and responsible background check practices. By upholding high standards, you can keep candidates, employees, and the business safe. 

A background screening partner can help. Look for a partner that’s well-versed in FCRA requirements and who can provide you with accurate, reliable information is invaluable to the hiring process. 

Want to learn more? Schedule a time to speak with one of our background screening experts.