Behind the Screen Part 3 – Compliance in Background Screening: What is it, and Why Should I care?
You already know about legal compliance in your industry. Healthcare companies know HIPAA, banking and financial services companies know DODD-FRANK and FINRA, energy companies know FERC, trucking companies know DOT and FMCSA, and the list goes on … and on.
You probably don’t know a lot, though, about legal compliance in background screening.
But you should.
Background screening applies to every industry and every employer, and it’s in your best interest to make sure you’re doing it in accordance with laws and regulations.
Why Compliant Background Screening is Important
1. It’s the law!
Obvious? Yes. Employers have specific obligations. The background screening company – defined as a “consumer reporting agency” (CRA) – also has very specific obligations.
2. Protect Consumers and Employers
The laws and regulations surrounding background screening are designed to protect: 1) the “consumer” – your candidate for employment or continued employment, and 2) the “user” – that’s you as the employer and user of background reports. When both parties comply with applicable law and regulation, they are protected and both win. In theory, the consumer gets a good job and the employer gets a good employee.
3. Avoid Costly Litigation
Non-compliance can be expensive. Employers are frequently the subject of class action litigation regarding their background screening practices and, without admitting any wrongdoing, pay multi-million dollar settlements. The settlement list is long and includes companies like Dish Network - $1.75M, Uber - $7.5M, Publix Supermarkets - $6.8M, Swift Transportation - $4.4M, Lowe’s - $22.5M, and Wells Fargo - $16M to name just a few.
There are several primary laws that apply to background screening, but there are also several layers of regulations and requirements that add significant complexity to even the most straight forward screening programs.
The primary federal law regulating background screening in the U.S. is the Fair Credit Reporting Act (FCRA), 15 U.S.C. 1681 et seq. Other laws and regulations come from local, state, and federal sources including FCRA state analogues, ban the box, criminal, credit, and privacy laws. Bodies such as the FTC, CFPB, and EEOC add even more regulatory requirements and best practices guidance.
Outside the U.S., country and regional law come into play, often under the umbrella of “personal privacy laws.” Examples include Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, Bundesdatenschutzgesetz (BDSG) in Germany, Personal Data Protection Law (PDPL) in Taiwan, and Anteprojeto de Lei para a Proteção de Dados Pessoais (Protection of Personal Data) in Brazil.
The amount of law and regulation governing background screening is immense! Highly competent, compliant background screening companies utilize strict methodologies to develop, maintain, and continually improve compliance programs.
Characteristics of a Compliant Background Screening Company
The screening company must have subject matter experts. These experts are responsible for monitoring changing compliance requirements, understanding those requirements, and working with others throughout the organization to ensure enterprise-wide compliance.
The screening company must have specific, repeatable, controlled processes to ensure consistent adherence to compliant operational procedures. This includes human processes and technological processes.
The screening company must regularly audit all activities to ensure ongoing conformance to defined processes and compliance obligations.
The screening company must be vigilant in continuously adjusting processes to accommodate changing laws and regulations, best practices, and achieve optimal outcomes.
What to Look for in a Compliant Background Screening Partner
1. Accurate Source Information
Section 607 of the FCRA requires a screening company to “follow reasonable procedures to assure maximum possible accuracy.” Section 613 increases accuracy requirements when the information being reported is a public record, such as a criminal record, and requires the screening company “maintain strict procedures [to ensure reported information] is complete and up to date.”
Employers must have accurate information to use in their employment decisions. A compliant screening company will follow stringent processes – each and every time – requiring records be confirmed at the source before reporting to a client. For example, criminal records will not be reported based only upon a commercial database finding. Rather, the record will be researched at the originating source, such as a county court, and multiple identifiers will be used to confirm a certain record belongs to a specific individual.
2. Compliant Reporting
The federal FCRA, FCRA state analogues, and other law and regulation impose limits on what information may be reported by a screening company and/or considered by an employer as part of an employment decision. For example, Section 605 of the FCRA prohibits reporting of non-convictions (i.e., arrest-only records, not guilty findings, and dismissed charges) older than seven years. Some states also limit reporting of convictions to seven years. Various federal, state and local law and regulation require certain notices be included with background reports.
The list goes on (and on!) of information that cannot be reported, or reported only under certain circumstances. The bottom line for employers is background reports presented to them by their screening partner should include only legally permissible information. (An employer who claims they did not consider prohibited information – when it appears on the background report – will be in a position that is difficult to defend.) This is another area where a compliant screening company will use rigorous, consistent processes to ensure report content and attachments meet applicable requirements.
Section 607 of the FCRA requires screening companies “make a reasonable effort to verify the identity of a new prospective user and the uses certified” before providing background reports to a user (the employer client). This means a screening company must conduct due diligence on every prospective client before providing background reports.
Background reports contain much confidential information that must be protected. In an age of identity theft and data breaches, compliant screening companies conduct methodical credentialing of every prospective employer client. The screening company must ensure they provide background reports only to legitimate business enterprises that have a permissible purpose for obtaining the background report.
4. User Certification
Section 604 of the FCRA requires a screening company obtain a certification signed by the user (the employer client) in which the client “certifies to the [consumer reporting] agency” the client will take specific actions when procuring and using background reports. Among the specific requirements to which the client must certify agreement: 1) having a permissible purpose, 2) providing disclosure, 3) obtaining written authorization, 4) following adverse action procedures, and 5) not using information in violation of any Federal or State equal opportunity law or regulation.
Compliant screening companies will detail these FCRA requirements in their client agreement. Calling out these specific obligations is not only legally required, it is also one of the first opportunities for client education. Further, it demonstrates the screening company’s diligence regarding compliance within their organization and that of their clients.
Note: When employers are the subject of FCRA based class litigation, the alleged violations most frequently involve failure to comply with requirements for disclosure, authorization, and adverse action. While not addressed in detail here, employers can download EBI's Guide to Adverse Action for more information.
5. Confidentiality, Privacy, and Security
The FCRA, security law, and privacy law all stress the importance of confidentiality and protection of consumer data, much of which is considered “Personally Identifiable Information (PII).” Security-conscious screening companies will protect all client information and that of client candidates and treat all such information as confidential.
Compliant screening companies will protect data by using a variety of technology tools and following strict security protocols. These tools and protocols will be tested regularly to ensure they are working properly, are followed consistently, and continue to provide appropriate security given rapidly changing environments. Professional, high quality screening companies will demonstrate compliance with security, confidentiality, and privacy requirements. They will also be aware of and, to the extent possible, accommodate best practices. By doing so, clients can be confident their data is protected and handled in a secure, confidential manner.
The FCRA does not specifically address the use of technology in the context of background screening for employment purposes. When designed and used properly, however, technology can provide strong support for compliance and enhance compliance through enforcement protocols.
When designed properly, this “technology driven compliance” is a great tool and can do things such as:
- Provide disclosure to the consumer.
- Ensure an authorization is obtained.
- Facilitate adverse action processing.
- Support compliant electronic signatures to help expedite screening.
- Link proper notices to background reports. Examples include notices such as the FCRA Federal Summary of Rights, New York Article 23-A, and California FCRA consumer notice.
- Provide forms management by automatically serving up needed forms to an employer or a candidate based upon information sought. Examples include driving record forms, country-specific information access forms, and statewide criminal record forms.
- Redact Personally Identifiable Information (PII) such as full SSN, DOB, and driver’s license number.
In order for compliance to capitalize on technology, screening companies must first have compliance experts who understand legal and regulatory requirements.
Second, the screening company must have technology experts to work with compliance experts to develop compliant solutions.
Third, the screening company must understand the needs and wants of their employer clients.
The best solutions can only be crafted when compliance, technology, and client needs are all understood.
7. Educate and Guide
Screening companies have an obligation to train and continually educate their own team members. Frequent, ongoing training and education is needed to ensure workers continue to follow established processes, as well as learn new processes as compliance requirements change.
Employer clients also need education. Obviously, employer clients must learn how to use the screening company’s technology platform – that’s usually pretty easy. Equally important (or perhaps more important) is for clients to continually have access to information and education about the current screening environment, changes in law and regulation, and best practices based on screening-related events (such as regulatory guidance and litigation activity). Although screening companies cannot provide legal counsel, they can provide information to help clients make informed, smart choices. Compliant screening companies will offer education through blogs, newsletters, whitepapers, webinars, recorded sessions, resource links and more.
Importantly, in addition to daily customer support, they will also provide experienced Account Managers as a single point of contact for client strategic assistance.
8. Risk Management
Smart screening companies manage and minimize. This will be evidenced by compliance experts and fully compliant processes and systems. In addition, risk is mitigated by no offshoring of domestic processing, no offshoring of data, no offshoring of customer service, at-the-source confirmation of data prior to reporting, highly secure systems, compliance-enabling technology, controlled processes, frequent audits, due diligence in employee selection and retention, and due diligence in client acceptance.
An active risk mitigation program provides assurance to clients that everything reasonably possible is being done to protect them and their data, while providing information rich, compliant background screening reports.
Checklist for Selecting a Compliant Background Screener
When selecting a background screening partner, how can an employer be reasonably sure the screening company understands compliance in the screening world, has internal processes to ensure consistent compliance, and assists clients in maintaining compliance? As part of due diligence, look for third-party evidence.
- Accreditation by the National Association of Professional Background Screeners (NAPBS)
- ISO 9001:2008 Quality Certification
- ISO 27001:2013 Security Certification
- Partnerships with domestic and global legal counsel
- Internal compliance department staffed with attorneys and subject matter experts
- Advanced FCRA Certification for select individuals
- Technology that promotes and enforces compliant processes
- Litigation history for alleged non-compliance
We hope this has given you a good sense of how important compliance is in your background screening program. For more “behind the screen” looks, visit Parts 1 and 2 of the series here: