You already know about legal compliance in your industry. Healthcare companies know HIPAA, banking and financial services companies know DODD-FRANK and FINRA, energy companies know FERC, trucking companies know DOT and FMCSA, and the list goes on … and on.
You probably don’t know a lot, though, about legal compliance in background screening.
But you should.
Background screening applies to every industry and every employer, and it’s in your best interest to make sure you’re doing it in accordance with laws and regulations.
Obvious? Yes. Employers have specific obligations. The background screening company – defined as a “consumer reporting agency” (CRA) – also has very specific obligations.
The laws and regulations surrounding background screening are designed to protect: 1) the “consumer” – your candidate for employment or continued employment, and 2) the “user” – that’s you as the employer and user of background reports. When both parties comply with applicable law and regulation, they are protected and both win. In theory, the consumer gets a good job and the employer gets a good employee.
Non-compliance can be expensive. Employers are frequently the subject of class action litigation regarding their background screening practices and, without admitting any wrongdoing, pay multi-million dollar settlements. The settlement list is long and includes companies like Dish Network – $1.75M, Uber – $7.5M, Publix Supermarkets – $6.8M, Swift Transportation – $4.4M, Lowe’s – $22.5M, and Wells Fargo – $16M to name just a few.
There are several primary laws that apply to background screening, but there are also several layers of regulations and requirements that add significant complexity to even the most straight forward screening programs.
The primary federal law regulating background screening in the U.S. is the Fair Credit Reporting Act (FCRA), 15 U.S.C. 1681 et seq. Other laws and regulations come from local, state, and federal sources including FCRA state analogues, ban the box, criminal, credit, and privacy laws. Bodies such as the FTC, CFPB, and EEOC add even more regulatory requirements and best practices guidance.
Outside the U.S., country and regional law come into play, often under the umbrella of “personal privacy laws.” Examples include Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, Bundesdatenschutzgesetz (BDSG) in Germany, Personal Data Protection Law (PDPL) in Taiwan, and Anteprojeto de Lei para a Proteção de Dados Pessoais (Protection of Personal Data) in Brazil.
The amount of law and regulation governing background screening is immense! Highly competent, compliant background screening companies utilize strict methodologies to develop, maintain, and continually improve compliance programs.
The screening company must have subject matter experts. These experts are responsible for monitoring changing compliance requirements, understanding those requirements, and working with others throughout the organization to ensure enterprise-wide compliance.
The screening company must have specific, repeatable, controlled processes to ensure consistent adherence to compliant operational procedures. This includes human processes and technological processes.
The screening company must regularly audit all activities to ensure ongoing conformance to defined processes and compliance obligations.
The screening company must be vigilant in continuously adjusting processes to accommodate changing laws and regulations, best practices, and achieve optimal outcomes.
Section 607 of the FCRA requires a screening company to “follow reasonable procedures to assure maximum possible accuracy.” Section 613 increases accuracy requirements when the information being reported is a public record, such as a criminal record, and requires the screening company “maintain strict procedures [to ensure reported information] is complete and up to date.”
Employers must have accurate information to use in their employment decisions. A compliant screening company will follow stringent processes – each and every time – requiring records be confirmed at the source before reporting to a client. For example, criminal records will not be reported based only upon a commercial database finding. Rather, the record will be researched at the originating source, such as a county court, and multiple identifiers will be used to confirm a certain record belongs to a specific individual.
The federal FCRA, FCRA state analogues, and other law and regulation impose limits on what information may be reported by a screening company and/or considered by an employer as part of an employment decision. For example, Section 605 of the FCRA prohibits reporting of non-convictions (i.e., arrest-only records, not guilty findings, and dismissed charges) older than seven years. Some states also limit reporting of convictions to seven years. Various federal, state and local law and regulation require certain notices be included with background reports.
The list goes on (and on!) of information that cannot be reported, or reported only under certain circumstances. The bottom line for employers is background reports presented to them by their screening partner should include only legally permissible information. (An employer who claims they did not consider prohibited information – when it appears on the background report – will be in a position that is difficult to defend.) This is another area where a compliant screening company will use rigorous, consistent processes to ensure report content and attachments meet applicable requirements.
Section 607 of the FCRA requires screening companies “make a reasonable effort to verify the identity of a new prospective user and the uses certified” before providing background reports to a user (the employer client). This means a screening company must conduct due diligence on every prospective client before providing background reports.
Background reports contain much confidential information that must be protected. In an age of identity theft and data breaches, compliant screening companies conduct methodical credentialing of every prospective employer client. The screening company must ensure they provide background reports only to legitimate business enterprises that have a permissible purpose for obtaining the background report.
Section 604 of the FCRA requires a screening company obtain a certification signed by the user (the employer client) in which the client “certifies to the [consumer reporting] agency” the client will take specific actions when procuring and using background reports. Among the specific requirements to which the client must certify agreement: 1) having a permissible purpose, 2) providing disclosure, 3) obtaining written authorization, 4) following adverse action procedures, and 5) not using information in violation of any Federal or State equal opportunity law or regulation.
Compliant screening companies will detail these FCRA requirements in their client agreement. Calling out these specific obligations is not only legally required, it is also one of the first opportunities for client education. Further, it demonstrates the screening company’s diligence regarding compliance within their organization and that of their clients.
Note: When employers are the subject of FCRA based class litigation, the alleged violations most frequently involve failure to comply with requirements for disclosure, authorization, and adverse action. While not addressed in detail here, employers can download EBI’s Guide to Adverse Action for more information.
The FCRA, security law, and privacy law all stress the importance of confidentiality and protection of consumer data, much of which is considered “Personally Identifiable Information (PII).” Security-conscious screening companies will protect all client information and that of client candidates and treat all such information as confidential.
Compliant screening companies will protect data by using a variety of technology tools and following strict security protocols. These tools and protocols will be tested regularly to ensure they are working properly, are followed consistently, and continue to provide appropriate security given rapidly changing environments. Professional, high quality screening companies will demonstrate compliance with security, confidentiality, and privacy requirements. They will also be aware of and, to the extent possible, accommodate best practices. By doing so, clients can be confident their data is protected and handled in a secure, confidential manner.
The FCRA does not specifically address the use of technology in the context of background screening for employment purposes. When designed and used properly, however, technology can provide strong support for compliance and enhance compliance through enforcement protocols.
When designed properly, this “technology driven compliance” is a great tool and can do things such as:
In order for compliance to capitalize on technology, screening companies must first have compliance experts who understand legal and regulatory requirements.
Second, the screening company must have technology experts to work with compliance experts to develop compliant solutions.
Third, the screening company must understand the needs and wants of their employer clients.
The best solutions can only be crafted when compliance, technology, and client needs are all understood.
Screening companies have an obligation to train and continually educate their own team members. Frequent, ongoing training and education is needed to ensure workers continue to follow established processes, as well as learn new processes as compliance requirements change.
Employer clients also need education. Obviously, employer clients must learn how to use the screening company’s technology platform – that’s usually pretty easy. Equally important (or perhaps more important) is for clients to continually have access to information and education about the current screening environment, changes in law and regulation, and best practices based on screening-related events (such as regulatory guidance and litigation activity). Although screening companies cannot provide legal counsel, they can provide information to help clients make informed, smart choices. Compliant screening companies will offer education through blogs, newsletters, whitepapers, webinars, recorded sessions, resource links and more.
Importantly, in addition to daily customer support, they will also provide experienced Account Managers as a single point of contact for client strategic assistance.
Smart screening companies manage and minimize. This will be evidenced by compliance experts and fully compliant processes and systems. In addition, risk is mitigated by no offshoring of domestic processing, no offshoring of data, no offshoring of customer service, at-the-source confirmation of data prior to reporting, highly secure systems, compliance-enabling technology, controlled processes, frequent audits, due diligence in employee selection and retention, and due diligence in client acceptance.
An active risk mitigation program provides assurance to clients that everything reasonably possible is being done to protect them and their data, while providing information rich, compliant background screening reports.
When selecting a background screening partner, how can an employer be reasonably sure the screening company understands compliance in the screening world, has internal processes to ensure consistent compliance, and assists clients in maintaining compliance? As part of due diligence, look for third-party evidence.
We hope this has given you a good sense of how important compliance is in your background screening program. For more “behind the screen” looks, visit Parts 1 and 2 of the series here:
Jessica Cohen Taubman
Jessica Cohen Taubman is the Compliance Manager at EBI. She holds a Juris Doctor from the Emory University School of Law and a Master of Science in Criminology from the University of Pennsylvania, and is an active member of the State Bar of Georgia. Her legal background and experience in various facets of the criminal justice system have helped shape her work in the background screening and drug testing industries.