On May 10, 2016, the Federal Trade Commission (FTC) released a new guidance on the Fair Credit Reporting Act (FCRA). The guidance is contained in a publication entitled “What Employment Background Screening Companies Need to Know About the Fair Credit Reporting Act”.
The publication is aimed at outlining the obligations which background screening companies have under the FCRA. The idea is that understanding such obligations makes compliance much easier. However, despite being directed at background screeners, even employers can benefit from reading the document. This is because it highlights a number of FCRA compliance requirements which are specifically intended for employers. Luckily, Crimcheck is NAPBS accredited and follow every and any guidline the FTC set forth.
Credit Reporting Agencies (CRAs)
The first question which the FTC answers in the publication is: “When is a background checking company a CRA?”
According to the FTC, any business is considered a CRA when it “provides information about people to employers for use in hiring or other employment decisions”. This includes information which bears on an individual’s character, personal characteristics, reputation, mode of living, credit standing, creditworthiness and credit capacity.
Although the goal of this definition seems obvious (i.e. establishing parameters under which background checking companies are considered CRAs), it has two subtle implications. The first is that when employers conduct their own background checks, they aren’t considered CRAs. As such, they aren’t subject to the FCRA.
The second implication is that there are companies which market consumer reports (i.e. background information), without operating as CRAs. Employers have to be careful when using such vendors. They have to be comfortable with the fact that such vendors are operating outside the bounds of the FCRA – and are as such are not subjected to the legal requirements discussed below.
Legal Requirements for CRAs
The second question which the FTC answers is about the legal requirements for CRAs. In other words, if a background checking company is considered a CRA, what is it legally required to do under the FCRA? In this respect, the FTC identifies three core requirements which every CRA must observe.
1. Accurate Reporting
The first requirement is to produce accurate background check reports. The FTC requires CRAs to establish “reasonable procedures to ensure maximum possible accuracy of the information concerning the individual about whom the report relates.” The question of what equates to “reasonable procedures” is not answered.
However, the FTC identifies a number of indicators which point to the fact that a background screening company isn’t following reasonable procedures. One indicator is when the report contains convictions of other people besides the applicant or employee. For example, when the report contains records of people with a middle name or date of birth different from the applicant/employee.
Another indicator is when the background check report contains criminal records which have been expunged or sealed. Yet another indicator is when a background check report contains multiple entries of the same offense. All these show that the CRA did not undertake measures to ensure maximum accuracy of the credit reports.
2. Employer Certifications
CRAs are required to obtain the requisite certifications from the employer. These certifications indicate that an employer will comply with its FCRA obligations. Such obligations include issuing the necessary disclosures to applicants or employees prior to conducting a background check, securing authorization to conduct the checks and using the reports strictly for employment purposes (and no other purpose).
Courtesy of this requirement, the FTC seems to place the onus on CRAs to obtain the required certifications from the employer. To some extent, this is true. However, in some cases, employers need to take the initiative to provide the certifications. For instance, in some states, there are “mini-FCRA” statutes which obligate the employer to provide the necessary certifications, and not just wait for the CRA to collect them.
3. Consumer Rights
CRAs are required to honor the rights of employees and applicants as granted by the FCRA. These rights include granting them access to background check reports when they ask for them, conducting reasonable investigations in case they dispute the accuracy of any information, and offering them a written notification of the results of any such investigations.
A common FCRA violation identified by the FTC is creating “unreasonable obstacles” for employees or applicants who are trying to exercise their FCRA rights. The FTC doesn’t cite examples of such unreasonable obstacles. However, in the past, CRAs have been sued for failing to send the required notifications to applicants who had negative background check reports. (http://www.openonline.com/Home/News-Events/News/News-Article-View/ArticleId/705/Hertz-Sued-for-Allegedly-Violating-The-FCRA)
The FTC also urges employers to be aware that applicants or employees can choose to exercise their FCRA rights. Such a decision is most likely to occur when the applicants/employees receive pre-adverse action notices. When the impending adverse action is based wholly or in part on the information contained in the report supplied by the CRA, then the employers too must enable the applicants/employees to exercise their rights.
The FTC guidance FCRA update explains specific obligations which apply in the event that a CRA has to provide a report which contains negative information found in public records. There are two options which a CRA can undertake.
The first is to send a notification to the subject of the report (i.e. employee or applicant) when information on public records is being reported. This notification is supposed to be sent independently of the pre-adverse action notice. Employers are mandated to send pre-adverse action notices irrespective of whether the CRA sends the notification or not.
The second is to maintain “strict procedures” to ensure accuracy and up-to-dateness of the information. Basically, CRAs must ensure that the negative public record information is as accurate and up-to-date as possible.
Employers Take Note
Although the publication is intended for background checking companies, the timing of its release means FCRA compliance is at the top of the FTC’s agenda. As such, even employers need to take note. A poignant pointer to this is that one of the additional resources suggested in the publication is the 2012 joint EEOC and FTC guidance entitled “Using Consumer Reports: What Employers Need To Know.”
Another pointer is the fact that the guidance was released against the backdrop of over a dozen “access letters” being mailed to sharing economy companies by the FTC. These letters were asking for information regarding their processes and policies for FCRA compliance. This clearly shows that the FTC is taking keener interest in FCRA compliance.
Therefore, any employer who desires to avoid legal problems needs to examine their FCRA policies and procedures. At a minimum, they should examine their (1) disclosure and authorization procedures; as well as their (2) adverse action notification processes to ensure that they are FCRA compliant. Otherwise, given the rising spate of FCRA lawsuits, the FTC may actually be the least of their problems.