FCRA Compliance: What You Really Need to Know
What does adverse action mean in hiring? Learn the steps employers must follow when taking adverse action, and the rights of job candidates who receive adverse action notices.
Elizabeth McLean
9 min read
Before conducting employment background checks, federal law requires employers to inform candidates and get their consent. But complying with FCRA disclosure and FCRA consent requirements—not to mention state and local consent and disclosure laws—can be confusing.
Here’s how to ensure your FCRA disclosure and authorization forms comply with the laws.
Pre-employment background checks are subject to strict regulations under a measure known as the Fair Credit Reporting Act (FCRA), and failure to meet FCRA requirements when running background checks on job candidates can result in financial penalties and legal troubles.
One common source of confusion for many employers occurs before a background check even begins, with requirements known as FCRA disclosure and FCRA authorization (or FCRA consent).
The idea behind these requirements is straightforward—before conducting a background check on a job applicant, a hiring company must:
But, as with many other forms of regulatory compliance, the devil is in the details.
FCRA disclosure and authorization requirements (and related state and local compliance rules) are deceptively tricky—having been the source of many unfair-hiring lawsuits and civil penalties.
The fact that FCRA disclosure and authorization language typically appear in forms used by multiple job applicants can amplify the impact of getting them wrong: Depending on the size of the hiring company and the rate at which it adds headcount, poor (or nonexistent) disclosure and authorization forms can mean dozens, hundreds, or even thousands of FCRA violations.
When the FCRA was enacted in the 1970s, its purpose was to ensure the privacy of information in consumers’ credit files, and to limit how lenders, credit card issuers, and employers can and cannot use that information. Eventually extended to include other forms of personal information, including criminal and arrest records, FCRA is based on the notion that consumers are entitled to:
FCRA compliance is enforced by the Federal Trade Commission (FTC) and the Bureau of Consumer Financial Protection (BCFP). FCRA background-check regulations apply to all US businesses, public and private, regardless of state, revenue size, or headcount.
FCRA disclosure and authorization requirements apply to all candidates for full-time and part-time employment who will be subject to background checks.
Legal applicability to independent contractors (workers paid using IRS Form 1099, rather than Form W-2) is a little fuzzier, but FTC guidelines recommend treating prospective contractors the same as applicants for permanent positions when running background checks.
The first step in conducting a FCRA-compliant background check is notification, also called disclosure, and is the process of informing the applicant of intent to run a background check on them. In broad terms, the disclosure must clearly indicate that a background check will be used to inform a hiring decision. If the hiring company is outsourcing the screening to a third party, such as a Consumer Reporting Agency (CRA), the name of the vendor must be indicated.
The FCRA doesn’t specify exact wording to be used in a background check disclosure notification, but it requires “clear and conspicuous disclosure in writing in a standalone document,” a mouthful that’s best understood by breaking it down into smaller bites:
There is one exception to the FCRA ban on embedding background-check disclosure with other documents: An FCRA disclosure form can be combined with an FCRA authorization form, as described below.
A compliant FCRA authorization form is an acknowledgement that a pre-employment background check will be conducted. It can be presented as a self-contained document or jointly with an FCRA disclosure form.
FCRA-compliant background-check authorization forms should NOT:
FCRA background-check authorizations may be used to capture the job candidate’s full name, address and Social Security number, and any other personal information required to conduct the background check.
The FCRA authorization must be signed by the job applicant, either in print or electronically. The employer should keep the original signed form and provide a copy to the applicant.
Requirements for FCRA disclosure and authorization forms change occasionally, so it’s a good idea for employers to check regularly at ftc.gov to make sure disclosure and authorization information are current, or work with your background check provider to ensure your forms are compliant. GoodHire is committed to monitoring changes in FCRA disclosure and authorization guidelines, and maintains a library of compliant forms in our library of downloadable resources.
In addition, it’s important to remember that individual states and municipalities may have background-check disclosure and authorization requirements that are even stricter than those required by the FCRA. Consult your legal counsel to ensure full compliance, or consider working with a background check provider like GoodHire, which helps employers meet compliance requirements with all local and national regulations.
Employers who follow the requirements outlined above can move forward with (or outsource to a third party CRA) its pre-employment background checks, confident they are in compliance with FCRA regulations. To stay FCRA compliant, additional steps are necessary once the results of the background check are returned. That’s a subject for another blog post.
GoodHire’s e-consent and template consent form meet federal compliance obligations. If you use GoodHire for pre-employment background checks, you can choose to use the e-consent option and we’ll provide the disclosure and authorization form to your candidate. However, it’s the employer’s responsibility to review this template to ensure it meets your needs and is approved by your own legal team (you can find it on the employer forms page).
In the event you’d like to provide your own consent form, we can upload your custom e-consent into the candidate flow and it will be provided to each candidate you invite to screen through GoodHire. Please note that it is the employer’s responsibility to review the requirements of your and your candidate’s specific jurisdictions to determine if additional information must be provided. For example, employers in California requesting credit checks on candidates must provide additional information to the candidate setting forth the exception under the credit inquiry ban that allows them to make the inquiry.
The resources provided here are for educational purposes only and do not constitute legal advice. We advise you to consult your own counsel if you have legal questions related to your specific practices and compliance with applicable laws.
Follow Me
Elizabeth McLean is GoodHire’s General Counsel, an FCRA-compliance attorney and expert in the background screening legal landscape. She monitors all things FCRA and EEOC. That means she follows new legislation and court decisions and advises the company on processes that follow compliance best practices.
What does adverse action mean in hiring? Learn the steps employers must follow when taking adverse action, and the rights of job candidates who receive adverse action notices.
Get answers to the most common questions about adverse action, an important step employers must follow if they decide not to hire based on results of a background check.
Your company background check policy should promote company-wide, consistent, and compliant checks. Learn what that means and how to do it with this best practice guide.