Do I have to keep these background checks? How long is a “reasonable amount of time?” What does “permissible purpose” mean? Here are the answers to all your Fair Credit Reporting Act questions!
In 1970, the Fair Credit Reporting Act was made federal law to protect consumer rights and regulate the collection, use, and dissemination of consumer credit information. It standardized guidelines for consumer reporting agencies (Equifax, Transunion, and Experian) and businesses that provide their consumer information (AKA data furnishers) to ensure accuracy and privacy. It also promotes transparency, giving consumers access to their credit reports and empowering them with an active role in reporting and disputing inaccuracies. The act plays a crucial role in ensuring fair and unbiased decisions in various areas, including employment, credit applications, insurance, and housing.
Why it’s Important to Comply with the Fair Credit Reporting Act
It’s important to understand and comply with the FCRA for businesses and applicants alike. The only way to reap the benefits of the FCRA is to remain up to date to ensure ongoing adherence to the law.
Avoiding legal ramifications. The FCRA is a federal law and therefore carries legal obligations. Non-compliance can lead to costly penalties, fines, and even lawsuits.
Enhancing data security and privacy. The FCRA places importance on protecting the confidentiality and security of consumer credit information. Complying with its guidelines ensures that applicant data is handled securely. This minimizes the risk of data breaches or unauthorized access to sensitive information.
Preserving equality and reputation. Safeguarding the rights of job applicants is one of the main designs of the FCRA. It protects job-seekers from inaccurate or irrelevant information being used against them unfairly. Compliance not only protects applicants by ensuring they are treated fairly and have the opportunity to dispute information, but also protects the business from potentially discriminatory action. Complying with the FCRA builds trust with applicants and demonstrates the organization’s commitment to ethical hiring practices in a tangible way.
Employer Responsibilities Under the Fair Credit Reporting Act
Under the FCRA, employers have several key responsibilities, particularly when obtaining and using consumer reports for employment purposes. Here are the primary employer duties outlined by the FCRA.
Be fully transparent. From start to finish, it is the responsibility of the employer to ensure applicants and employees are informed that a consumer report may be obtained for employment purposes. Applicants must remain informed throughout the process of any action the employer plans to take (before the action is taken). See “Step 2: Obtain Required Information and Provide Disclosure” in “How to Comply With the FCRA When Conducting Background Checks” below for a more complete list of information the employer is required to provide to the employee.
Obtain consent. This is done via written disclosure. It is legally required for employers to obtain written consent from an individual before obtaining their consumer report (See “Step 1: Determine Permissible Purpose and Obtain Written Consent” below for more information).
Maintain confidentiality. Following comprehensive data confidentiality protocols is the responsibility of the employer. Ramifications of any breach of this information due to failure to maintain confidentiality falls on the employer.
How to Comply with the FCRA when Conducting Background Checks
Before running any sort of background check on any individual, it is of the utmost importance for the employer to have a solid and up-to-date understanding of FCRA requirements. Be sure to educate yourself on the responsibilities of employers, the rights of individuals, and the obligations of consumer reporting agencies (CRAs). From there, choose a reputable and FCRA-compliant CRA to conduct the background check. Research and select an agency that adheres to FCRA guidelines, provides accurate information and maintains data privacy and security. Then you’ll be ready to follow these steps:
Step 1: Determine Permissible Purpose and Obtain Written Consent
In order to rightfully conduct a background check, you must have a legitimate reason for doing so (and use the acquired report for only the specified purpose). This is enforced by the FCRA and typically includes making employment-related decisions such as hiring, firing or promoting an employee. This is not a complete list however, and it is recommended to consult with a legal professional before moving forward with obtaining a consumer report. Once you have determined a permissible purpose, you’ll need written consent in the form of a stand-alone document. This must be completely separate from any and all other forms and clearly state that a background check will be conducted.
Step 2: Obtain Required Information and Provide Disclosure
Gather all needed information to run the report from the individual. What information is required is specified by the CRA obtaining the report, however, it typically includes full name, date of birth, social security number (if permissible), and other relevant identifiers. Ensure the accuracy of the information prior to requesting the report. Then provide disclosure to the individual. This is separate from the consent previously obtained and informs the individual about the process and their relevant rights under the FCRA.
Step 3: Obtain and Review the Background Check Report
Submit the applicable information to the previously selected CRA. Once the report has been obtained, check the report and review it carefully for accuracy and completeness. Keep in mind your original permissible purpose and verify that the information obtained is relevant and compliant with FCRA guidelines.
Step 4: Pre-Adverse Action Notice (If Applicable)
In some instances, the information received requires adverse action from the employer. What constitutes adverse action should be defined in company policy. If adverse action is contemplated based on the background check, provide a pre-adverse action notice to the individual. This notice should include a copy of the background check report, a summary of their rights under the FCRA, and an opportunity for them to review and dispute the report's accuracy. This SHRM sample is an excellent resource.
Step 5: Allow Time for Dispute and Issue an Adverse Action Notice
While a specific time frame is not explicitly prescribed by the FCRA (it simply states that a reasonable amount of time should be given), courts and Federal Trade Commission guidance suggest five days. The purpose of this waiting period is to give the employee a fair opportunity to address any potential inaccuracies or errors in the consumer report before suffering adverse consequences.
Step 6: Retain Records
Here again the FCRA does not specify a specific amount of time for the retention of these reports. It is important for employers to retain documentation related to the background check process. Be sure to include any disclosures, consent forms, pre-adverse action notices and adverse action notices. These records can serve as evidence that the employer followed proper procedures and complied with the FCRA's requirements in case of any disputes or legal challenges. What retention period is appropriate for your organization depends on factors such as industry standards, state laws and potential litigation risks. Before destroying any records (of any kind, not just these reports), consult with legal counsel. They can inform you of any relevant laws and regulations to assist in making an informed decision regarding the appropriate record retention period for your organization.
Common FCRA Violations (and How to Avoid Them)
Unintentional violation of the FCRA is more common than you might think. Here are the most common mistakes to watch for to remain fully compliant:
Failure to Keep the Employee Informed
The FCRA has very specific requirements for what information should be included on each form. Employers can find themselves in hot water if they use in-house documents rather than those written by legal professionals. An employer may also fail to give prior notice to the individual before taking adverse action, or not providing a reasonable amount of time for the information to be disputed. This can be avoided by several action steps. Use legally complete forms and documentation, work with a FCRA-compliant CRA to run reports, provide above and beyond the required information to the employee in question, and address all questions and concerns promptly and thoroughly.
Failure to Provide Compliance Training
An organization may fail to provide appropriate training in several ways and for several reasons. There could be a lack of awareness (such as not defining this responsibility and who it falls on) or inadequate or outdated training programs. Organizations may also fail to provide ongoing training to ensure relevant staff are keeping up with changes to the FCRA. To avoid these shortcomings, FCRA compliance training should be prioritized. Training should be conducted on a regular basis. It might also be beneficial to utilize a FCRA-backed certification program (such as through PBSA or CDIA) to ensure the training is complete and accurate.
Failure to Maintain Adequate Records
Without consulting legal counsel, organizations might unfortunately destroy records before the appropriate time. This can become a serious issue if the company ends up facing legal repercussions such as when an employee wants to dispute adverse action taken against them.
Topics
Kayla Farber
Kayla is the Chief Innovation Officer at Hero Culture, where the passion is to create company cultures of retention using the power of personality.
Generally, yes. Under the FCRA, employers can consider an individual's credit history for employment decisions, but they must have a permissible purpose and obtain written consent. It’s important to note however that some states and local jurisdictions have additional laws and restrictions regarding the use of credit history in employment decisions so it is important to be aware of these specificities. Consult legal counsel prior to attempting to obtain such records.
There is no specified minimum or maximum length of time specified in the FCRA. It is simply stated that employers must retain records for a “reasonable amount of time.” This can vary for a number of reasons. See “Step 6: Retain Records” above for more specific information regarding the retention of records.
Do I have to keep these background checks? How long is a “reasonable amount of time?” What does “permissible purpose” mean? Here are the answers to all your Fair Credit Reporting Act questions!
In 1970, the Fair Credit Reporting Act was made federal law to protect consumer rights and regulate the collection, use, and dissemination of consumer credit information. It standardized guidelines for consumer reporting agencies (Equifax, Transunion, and Experian) and businesses that provide their consumer information (AKA data furnishers) to ensure accuracy and privacy. It also promotes transparency, giving consumers access to their credit reports and empowering them with an active role in reporting and disputing inaccuracies. The act plays a crucial role in ensuring fair and unbiased decisions in various areas, including employment, credit applications, insurance, and housing.
Why it’s Important to Comply with the Fair Credit Reporting Act
It’s important to understand and comply with the FCRA for businesses and applicants alike. The only way to reap the benefits of the FCRA is to remain up to date to ensure ongoing adherence to the law.
Avoiding legal ramifications. The FCRA is a federal law and therefore carries legal obligations. Non-compliance can lead to costly penalties, fines, and even lawsuits.
Enhancing data security and privacy. The FCRA places importance on protecting the confidentiality and security of consumer credit information. Complying with its guidelines ensures that applicant data is handled securely. This minimizes the risk of data breaches or unauthorized access to sensitive information.
Preserving equality and reputation. Safeguarding the rights of job applicants is one of the main designs of the FCRA. It protects job-seekers from inaccurate or irrelevant information being used against them unfairly. Compliance not only protects applicants by ensuring they are treated fairly and have the opportunity to dispute information, but also protects the business from potentially discriminatory action. Complying with the FCRA builds trust with applicants and demonstrates the organization’s commitment to ethical hiring practices in a tangible way.
Employer Responsibilities Under the Fair Credit Reporting Act
Under the FCRA, employers have several key responsibilities, particularly when obtaining and using consumer reports for employment purposes. Here are the primary employer duties outlined by the FCRA.
Be fully transparent. From start to finish, it is the responsibility of the employer to ensure applicants and employees are informed that a consumer report may be obtained for employment purposes. Applicants must remain informed throughout the process of any action the employer plans to take (before the action is taken). See “Step 2: Obtain Required Information and Provide Disclosure” in “How to Comply With the FCRA When Conducting Background Checks” below for a more complete list of information the employer is required to provide to the employee.
Obtain consent. This is done via written disclosure. It is legally required for employers to obtain written consent from an individual before obtaining their consumer report (See “Step 1: Determine Permissible Purpose and Obtain Written Consent” below for more information).
Maintain confidentiality. Following comprehensive data confidentiality protocols is the responsibility of the employer. Ramifications of any breach of this information due to failure to maintain confidentiality falls on the employer.
How to Comply with the FCRA when Conducting Background Checks
Before running any sort of background check on any individual, it is of the utmost importance for the employer to have a solid and up-to-date understanding of FCRA requirements. Be sure to educate yourself on the responsibilities of employers, the rights of individuals, and the obligations of consumer reporting agencies (CRAs). From there, choose a reputable and FCRA-compliant CRA to conduct the background check. Research and select an agency that adheres to FCRA guidelines, provides accurate information and maintains data privacy and security. Then you’ll be ready to follow these steps:
Step 1: Determine Permissible Purpose and Obtain Written Consent
In order to rightfully conduct a background check, you must have a legitimate reason for doing so (and use the acquired report for only the specified purpose). This is enforced by the FCRA and typically includes making employment-related decisions such as hiring, firing or promoting an employee. This is not a complete list however, and it is recommended to consult with a legal professional before moving forward with obtaining a consumer report. Once you have determined a permissible purpose, you’ll need written consent in the form of a stand-alone document. This must be completely separate from any and all other forms and clearly state that a background check will be conducted.
Step 2: Obtain Required Information and Provide Disclosure
Gather all needed information to run the report from the individual. What information is required is specified by the CRA obtaining the report, however, it typically includes full name, date of birth, social security number (if permissible), and other relevant identifiers. Ensure the accuracy of the information prior to requesting the report. Then provide disclosure to the individual. This is separate from the consent previously obtained and informs the individual about the process and their relevant rights under the FCRA.
Step 3: Obtain and Review the Background Check Report
Submit the applicable information to the previously selected CRA. Once the report has been obtained, check the report and review it carefully for accuracy and completeness. Keep in mind your original permissible purpose and verify that the information obtained is relevant and compliant with FCRA guidelines.
Step 4: Pre-Adverse Action Notice (If Applicable)
In some instances, the information received requires adverse action from the employer. What constitutes adverse action should be defined in company policy. If adverse action is contemplated based on the background check, provide a pre-adverse action notice to the individual. This notice should include a copy of the background check report, a summary of their rights under the FCRA, and an opportunity for them to review and dispute the report's accuracy. This SHRM sample is an excellent resource.
Step 5: Allow Time for Dispute and Issue an Adverse Action Notice
While a specific time frame is not explicitly prescribed by the FCRA (it simply states that a reasonable amount of time should be given), courts and Federal Trade Commission guidance suggest five days. The purpose of this waiting period is to give the employee a fair opportunity to address any potential inaccuracies or errors in the consumer report before suffering adverse consequences.
Step 6: Retain Records
Here again the FCRA does not specify a specific amount of time for the retention of these reports. It is important for employers to retain documentation related to the background check process. Be sure to include any disclosures, consent forms, pre-adverse action notices and adverse action notices. These records can serve as evidence that the employer followed proper procedures and complied with the FCRA's requirements in case of any disputes or legal challenges. What retention period is appropriate for your organization depends on factors such as industry standards, state laws and potential litigation risks. Before destroying any records (of any kind, not just these reports), consult with legal counsel. They can inform you of any relevant laws and regulations to assist in making an informed decision regarding the appropriate record retention period for your organization.
Common FCRA Violations (and How to Avoid Them)
Unintentional violation of the FCRA is more common than you might think. Here are the most common mistakes to watch for to remain fully compliant:
Failure to Keep the Employee Informed
The FCRA has very specific requirements for what information should be included on each form. Employers can find themselves in hot water if they use in-house documents rather than those written by legal professionals. An employer may also fail to give prior notice to the individual before taking adverse action, or not providing a reasonable amount of time for the information to be disputed. This can be avoided by several action steps. Use legally complete forms and documentation, work with a FCRA-compliant CRA to run reports, provide above and beyond the required information to the employee in question, and address all questions and concerns promptly and thoroughly.
Failure to Provide Compliance Training
An organization may fail to provide appropriate training in several ways and for several reasons. There could be a lack of awareness (such as not defining this responsibility and who it falls on) or inadequate or outdated training programs. Organizations may also fail to provide ongoing training to ensure relevant staff are keeping up with changes to the FCRA. To avoid these shortcomings, FCRA compliance training should be prioritized. Training should be conducted on a regular basis. It might also be beneficial to utilize a FCRA-backed certification program (such as through PBSA or CDIA) to ensure the training is complete and accurate.
Failure to Maintain Adequate Records
Without consulting legal counsel, organizations might unfortunately destroy records before the appropriate time. This can become a serious issue if the company ends up facing legal repercussions such as when an employee wants to dispute adverse action taken against them.
Topics
Kayla Farber
Kayla is the Chief Innovation Officer at Hero Culture, where the passion is to create company cultures of retention using the power of personality.
Generally, yes. Under the FCRA, employers can consider an individual's credit history for employment decisions, but they must have a permissible purpose and obtain written consent. It’s important to note however that some states and local jurisdictions have additional laws and restrictions regarding the use of credit history in employment decisions so it is important to be aware of these specificities. Consult legal counsel prior to attempting to obtain such records.
There is no specified minimum or maximum length of time specified in the FCRA. It is simply stated that employers must retain records for a “reasonable amount of time.” This can vary for a number of reasons. See “Step 6: Retain Records” above for more specific information regarding the retention of records.