Management, compliance & auditing

How to comply with FCRA — 6 steps

Greg Belding
August 2, 2018 by
Greg Belding

The Fair Credit Reporting Act, or FCRA, is a piece of legislation passed by Congress in 1970 to promote fairness, accuracy and privacy for information that consumer reporting agencies use for different purposes. One of the most common functions falling under FCRA is organizations' use of background checks for the purpose of employment.

Organizations normally send requests to credit reporting agencies when individuals apply for employment, both to obtain a background check and a consumer credit report. What this means is exposure to information of a personal nature at both the organizational and credit-reporting agency level. FCRA aims to help protect the information of these individuals, and this article will detail how organizations can comply with FCRA during this commonly-occurring hiring practice.

Please note: this article should serve as a brief overview of FCRA compliance and in no way is a substitute for legal advice.

FCRA Compliance

Permissible Purpose

To meet compliance with FCRA, organizations must establish a permissible purpose for the use of said personal information. Under FCRA, this information must be used for ordering background checks for the purposes of employment. FCRA uses a broad definition for "employment," which includes hiring, promotion, transfers, retention, and contracting or volunteering.

One real-world example of this employment, aside from the obvious new hire scenario, is when an organization appoints an executive or professional to a role. A background check may be a routine part of this promotion, just as a cautionary practice.

Disclosure

FCRA mandates that the individual be provided a written notice disclosing that a background check may be required as a condition to their hiring. Operationally speaking, organizations normally provide the individual this disclosure when they arrive for a face-to-face interview. This disclosure can only be combined with an authorization, which will be examined below.    

Authorization

As a preliminary matter, organizations are required to obtain written consent from the individual granting the organization the right to the individual's consumer credit report before and during the individual's employment with them. Logistically speaking, hiring organizations normally request the individual's consumer credit report soon after receiving this authorization.

Certifications

For all intents and purposes, the organization is considered the "end user" of the individual's credit report. Being the "end user," the organization certifies the following:

  • That the organization will obtain the background check only for the permissible purpose of employment
  • That the organization has made a clear disclosure and has obtained the individual's consent before ordering a consumer credit report
  • That the organization will not use the consumer credit report in a manner that will violate any state or federal equal opportunity laws
  • That the organization will properly follow, as will be explored below, adverse action procedures if a negative employment decision is made based upon information from the consumer credit report

Adverse Action

If the organization has made a negative employment decision based upon the consumer credit report, it must take actions prior to rescinding an employment offer or employee termination. This is a two-pronged process.

The Notice

In an oral, written, or electronic form, the organization must give the individual a pre-adverse notice. This notice must inform the individual of:

  • The credit reporting agency that assembled the report's name, address and telephone number
  • That the credit reporting agency was not the decision-maker and that it will not explain why the negative employment decision was made
  • That the individual has a right to a free disclosure of the negative hiring decision if the request is made to the credit reporting agency within sixty days
  • That the individual has a right to dispute any incomplete or inaccurate information on the consumer credit report directly to the credit reporting agency

The Response

At this point, the organization must allow the individual applying for employment five days to contact the credit reporting agency in case he/she wants to dispute the report. Once five days has passed, the organization can make its final employment decision.

  • Please note that if the individual has disputed the information contained in the consumer credit report, the credit reporting agency has 30 days to perform a reinvestigation into the matter at no cost to the individual. The screening firm must provide updates to the individual and the organization of the reinvestigation results
  • If the organization ends up making a negative employment decision, it must send a final adverse notice to the individual
  • Additionally, certain states have state specific notices that must be sent to the individual in the case of a negative employment decision. Organizations will have to research applicable law for the state that they operate in to determine if they are subject to these laws

Provide a Copy of the FCRA for Reference

Organizations must provide a copy of the FCRA for reference, both to individuals that are seeking employment with the organization and those currently employed by the organization. A commonly-used place to post the FCRA is in the employee break area, probably near where the "equal opportunity of employment" material is normally displayed.

Conclusion

The FCRA is in place to protect an individual and his/her personal information when a request is submitted to a credit reporting agency for purposes of obtaining a consumer credit report. Although organizations are required to take certain actions to maintain compliance with this law, it is actually quite simple to maintain compliance with FCRA, and most organizations will have to invest only a small amount of time into the preparation of an FCRA-compliant plan of action regarding credit reports.

Sources

Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.