FCRA-Compliant Background Checks: An Employer's Guide

Employers spend tens of millions of dollars every year in Fair Credit Reporting Act (FCRA) class-action settlements filed against them. Most of these situations result from simple mistakes rather than ill intent: disclosure forms with an extra line of text or an adverse action process that skips a required step. The FCRA is exacting, and the margin for error is small.

This guide explains what an FCRA-compliant background check actually requires, where employers most commonly go wrong, and what compliance means in practice, including how state laws layer on top of federal standards.

Table of Contents

1. What Is an FCRA Background Check?
2. What Makes for a FCRA-Compliant Background Check?
3. What Can Be Included in an FCRA Background Check?
4. Common FCRA Compliance Mistakes Employers Make
5. FCRA vs. State and Local Law
6. How to Build a Compliant Background Check Program
7. Frequently Asked Questions
8. How Cisive Can Help You Stay Compliant With FCRA

What Is an FCRA Background Check?

Before Congress passed the FCRA in 1970, federal law didn’t specifically restrict private companies’ collection and use of personal information about individuals. More than five decades later, the law remains the primary legal framework for employment background screening in the United States — and the biggest source of compliance risk for employers running background checks.

An FCRA background check is any activity that constitutes a "consumer report" under the law, meaning it's prepared by a third-party CRA and used to evaluate someone for employment purposes, including hiring, promotion, retention, or reassignment.

The FCRA applies whenever a third party compiles a consumer report. While in-house background checks aren’t generally subject to FCRA, many of the same principles and requirements are mandated by myriad other laws at the federal, state, and local levels.

What Makes for a FCRA-Compliant Background Check?

FCRA compliance isn't a single requirement. It's a sequence of obligations that apply before, during, and after the background screening process. Even small technical mistakes can create an opportunity for class-action litigation against an employer. Here are some of the factors that go into compliance.

Standalone Disclosure and Written Authorization

Before obtaining a consumer report for employment purposes, employers must provide a written disclosure informing the applicant that a background check will be conducted. The applicant must also provide written authorization before the employer can obtain the report.

Under FCRA Section 1681b(b)(2)(A), that disclosure must appear in a standalone document. Such documents shouldn’t contain liability waivers, nondisclosure agreements, references to your policies, or state-level disclosure content.

Employers often discover this problem only after a class-action has been filed, and courts have interpreted this rule strictly. In Walker v. Fred Meyer, Inc., the U.S. Court of Appeals for the Ninth Circuit found that language referencing other legal rights violated the standalone requirement.

Pre-Adverse Action Notice

Before an employer can decline to hire, promote, or retain someone based on information in a background check report, the FCRA requires a specific sequence of events.

The employer must first send a pre-adverse action notice. A pre-adverse action notice should be sent to the candidate the moment any information returned in the report is cause for pause or deliberation. The notice should include:

• A notice that adverse action is being considered
• A copy of the consumer report that factored into the decision
• A copy of "A Summary of Your Rights Under the Fair Credit Reporting Act" (available from the FTC)

After that notice, the employer must wait a reasonable period before finalizing the decision. The FCRA doesn't specify how long that should be. The widely accepted best practice is at least five business days, though some state and local laws now require a longer period to allow the candidate/employee an opportunity to respond.

Final Adverse Action Notice

If the employer proceeds with an adverse employment decision, a final adverse action notice must be sent. Per the FTC's employer guidance, this notice must include:

• A statement that the person wasn’t hired, promoted, or retained due to information in the background report
• The name, address, and phone number of the CRA that provided the report
• A statement that the CRA didn't make the hiring decision and can’t provide specific reasons
• Notice of the applicant's right to dispute the accuracy of the report
• Notice of the right to obtain a free copy of the report within 60 days

What Can Be Included in an FCRA Background Check?

The scope of an FCRA background check should be specific to the role, the industry, and applicable state law. Federal law sets the floor on what can and can't be reported — but state rules often go further. Some components carry restrictions that can catch employers off guard.

Criminal History

Federal law under the FCRA prohibits reporting certain information that is more than seven years old, such as arrest records. This prohibition only applies to positions paying less than $75,000 annually. All criminal convictions can be reported under federal law, although states, including California, Massachusetts, Washington, and Texas, tend to limit the reporting periods to seven years even for criminal convictions.

An advisory opinion from the Consumer Financial Protection Bureau (CFPB) in 2024 established guidance that CRAs shouldn’t report criminal records that have been expunged or sealed.

Employment, Education, and Credit Verification

Employment verification confirms dates of employment, job titles, and eligibility for rehire. When a third party conducts interviews regarding an individual's performance, discipline, or conduct, the result may qualify as an "investigative consumer report," triggering additional disclosure requirements.

Education verification confirms degrees and credentials, which are particularly important in healthcare and other licensed professions.

Employers looking to obtain credit history through an FCRA-compliant process should confirm their state's regulations before running credit checks. At least 13 states restrict or prohibit employer credit checks, including California, Colorado, Illinois, Maryland, New York, and Washington. New York adds further restrictions on April 18, 2026.

Motor Vehicle Records and Other Consumer Reports

Motor Vehicle Record (MVR) checks confirm license status, violations, and suspensions, which is particularly important for roles regulated by the Department of Transportation or otherwise requiring motor vehicle operation.

Other types of consumer reports include professional license verification and reference checks. When conducted by a third party, reference checks may also constitute an investigative consumer report under the FCRA.

Common FCRA Compliance Mistakes Employers Make

Most FCRA litigation against employers doesn't arise from intentional violations but from preventable process failures.

Defective Disclosure Forms

The standalone disclosure requirement is among the most litigated FCRA issues. Employers can create standing for a class action simply by adding a sentence referencing state rights, including a liability waiver, or combining the disclosure with the employment application form or policy documents.

In 2023, an auto parts supplier settled a disclosure form case for $950,000. The costs quickly compound when calculating exposure per violation over time across an applicant class.

Skipping or Rushing the Adverse Action Process

Some employers take action immediately upon reviewing a background check report, rather than issuing a pre-adverse action notice or observing the appropriate waiting period. When this happens, the applicant doesn’t get to review the background report or dispute potentially inaccurate information before a hiring decision is finalized.

Cisive's adverse action compliance guide walks through each required step and highlights where employers most often stumble.

Running Checks Without Written Consent

Authorization must be obtained in writing before the report is pulled. It must be a standalone form — not combined with an employment application or offer letter. When employers don’t secure clear, unambiguous consent to background checks, they create liability.

Relying on Inaccurate Reports

Background reports can contain errors, such as outdated records, misidentified individuals, or improperly reported expungements. When an adverse action is taken based on faulty information, the employer bears part of the compliance risk.

This is where the choice of screening provider matters directly. The CFPB's 2024 advisory opinion reinforced that CRAs must prevent reporting of information that has been legally sealed or expunged and must not report duplicative records.

FCRA vs. State and Local Law

The FCRA establishes the federal foundation for screening, while the enforcement guidance from the Equal Employment Opportunity Commission requires employers to apply appropriate risk-measurement considerations and weigh the nature of the offense, the time elapsed, and the specific job requirements before taking an adverse action based on criminal history.

But employers can face a patchwork of additional requirements based on state or even local laws and regulations. For example, roughly 13 states also restrict how credit checks are used in employment decisions.

In addition, more than 37 states and 150+ municipalities have enacted “fair chance” hiring laws, also known as “ban the box laws.” These laws restrict when employers can ask about criminal history — often delaying such inquiries until after a conditional offer is made. Some mandate the same EEOC “individualized assessment” requirement before denying employment based on a criminal record.

Philadelphia amended its Fair Criminal Record Screening Standards effective January 6, 2026, reducing the lookback period for misdemeanor convictions from seven years to four years.

The legal and regulatory landscape isn’t static. For employers, staying current on FCRA compliance best practices is an ongoing obligation.

How to Build a Compliant Background Check Program

Employers need a repeatable, scalable process for FCRA background checks, starting with selecting a third party to run the program.

Work with an FCRA-Compliant Screening Provider

Lay the foundation for compliant background screening by choosing a CRA with a demonstrated track record of accurate reporting and current knowledge of state and local law. Look for Professional Background Screening Association accreditation. Ask how prospective providers handle record inaccuracies, expungements, and state-specific restrictions.

Cisive has maintained a 99.9994% accuracy rate across 40+ years in the industry, with zero data breaches since inception.

Standardize Your Processes for Disclosure and Adverse Action

Ad hoc processes encourage compliance gaps. Embedding FCRA requirements into your hiring process starts with documented, written procedures. Make sure to document which background checks are required for each role, what the disclosure form looks like, and the steps from receiving a report to making a final decision.

Have your screening documents reviewed by legal counsel familiar with the FCRA requirements before they’re used. Adverse action workflows should include checkpoints that prevent the process from advancing until each required step is complete.

Audit Regularly

Compliance is an ongoing activity that requires regular review of both employer actions and legal changes. An FCRA compliance audit, conducted at least annually with legal counsel, should review disclosure and authorization forms, the adverse action workflow, and applicable state or local laws, including relevant hiring locations.

One emerging area worth monitoring is the use of artificial intelligence (AI)-powered screening tools. Any third-party tool that scores or filters applicants may qualify as a consumer report. A 2026 class action alleges violations of FCRA and California law for generating algorithmic applicant scores without proper notice or consent.

Frequently Asked Questions About FCRA Background Checks

What is an FCRA background check?

An FCRA background check is a consumer report prepared by a third-party consumer reporting agency for employment purposes. It may include criminal history, employment verification, education verification, credit reports, and motor vehicle records. The Fair Credit Reporting Act governs this process.

What makes a background check FCRA-compliant?

FCRA compliance requires a standalone written disclosure, written consent before any report is pulled, and certification to the CRA. If the results factor into an adverse employment decision, employers must provide a pre-adverse-action notice and a final adverse-action notice, with a waiting period between them.

Do all employment background checks fall under the FCRA?

No. The FCRA applies when a third-party CRA compiles the report. In-house checks aren’t subject to FCRA procedures. However, many of the same principles and requirements are mandated by myriad other laws at the federal, state, and local levels.

If any third-party company is involved in assembling or delivering the report, FCRA applies.

How long does an FCRA background check take?

Most FCRA-compliant background checks are completed within one to three business days, depending on the scope and number of jurisdictions searched. For standard criminal history searches, Cisive closes 78% within one hour.

Can an employer run a background check without consent?

No. Running an unauthorized check is an FCRA violation. Employers must obtain written consent before generating a consumer report for employment purposes. Violations can be classified as willful, which carries statutory damages of $100 to $1,000 per violation and may also result in punitive damages. See Cisive's FCRA compliance best practices guide for the full scope of employer obligations.

How Cisive Can Help You Stay Compliant With FCRA

FCRA compliance is a process discipline. The disclosure form, the consent workflow, the adverse action sequence, and the choice of screening provider. Each step creates either a defensible record or a liability. There's little room for approximation.

Cisive delivers employment background screening for organizations that can't afford to get it wrong. With 40+ years of experience, a 99.9994% accuracy rate, and deep expertise in healthcare, transportation, and financial services, Cisive builds the compliance foundation into the screening process itself.

Speak to a Cisive pro to discuss your background screening program and where compliance gaps most commonly appear.