FCRA Compliance for Employers: Background Check and Employment Screening Requirements

Executive Summary

The FCRA regulates how employers can obtain and use consumer reports for employment purposes.
Employers must provide disclosures and obtain authorization before conducting background checks.
Non-compliance can lead to significant penalties and class action lawsuits.
A robust compliance program includes policy development, employee training, and regular audits.
Organizations should engage compliant third-party CRAs and conduct regular risk assessments.

The Fair Credit Reporting Act (FCRA) establishes important regulations for employers conducting background checks and employment screenings in the United States. This comprehensive guide outlines the compliance requirements, enforcement mechanisms, and best practices for organizations to ensure adherence to FCRA regulations while navigating the complexities of employment screening.

Regulation	FCRA
Max Penalty	USD 100-1,000 per violation (willful); class action liability
Enforcing Authority	FTC / CFPB
Official Source	FCRA Official Guidance

What Is FCRA?

The Fair Credit Reporting Act (FCRA) is a federal law enacted in 1970 to promote the accuracy, fairness, and privacy of information in the files of consumer reporting agencies. It regulates how employers can obtain and use consumer reports, which include background checks, credit reports, and other related information. The FCRA aims to protect consumers from unfair practices and ensure that they are informed about how their information is being used in employment decisions.

Employers must understand that the FCRA applies not only to traditional credit reports but also to any report that bears on a consumer’s credit worthiness, character, general reputation, or personal characteristics. This broad definition encompasses various forms of background checks, making compliance critical for organizations that rely on these reports for hiring and employment decisions.

Who Must Comply

All employers in the United States that utilize consumer reports for employment purposes are subject to FCRA compliance. This includes businesses of all sizes, from small startups to large corporations. The FCRA applies to any employer that seeks to obtain a consumer report for the purpose of evaluating a candidate’s suitability for employment, promotion, or retention.

Additionally, third-party background check companies, known as consumer reporting agencies (CRAs), must also comply with the FCRA when providing reports to employers. Employers must ensure that they are working with compliant CRAs that adhere to the FCRA’s requirements, as liability can extend to employers if a CRA fails to comply.

Core Compliance Requirements

Disclosure and authorization. Before obtaining a consumer report, employers must provide a clear and conspicuous disclosure to the applicant or employee. This disclosure must inform the individual that a consumer report may be obtained for employment purposes. Additionally, employers must obtain written authorization from the individual before proceeding with the background check.

Adverse action procedures. If an employer decides to take adverse action based on information contained in a consumer report, such as denying employment or terminating an employee, they must follow specific procedures. This includes providing the individual with a copy of the report, a summary of their rights under the FCRA, and a reasonable opportunity to dispute the information before the final decision is made.

Accuracy and dispute resolution. Employers are responsible for ensuring that the information they obtain is accurate and up to date. If an individual disputes the accuracy of the information in their consumer report, the employer must conduct a reasonable investigation and respond to the dispute in a timely manner. This includes working with the CRA to correct any inaccuracies.

Recordkeeping requirements. Employers must maintain records related to the background check process, including the disclosure, authorization, and any communications regarding disputes. These records should be kept for a minimum of five years to ensure compliance and to provide documentation in the event of an audit or legal challenge.

Penalties and Enforcement

The FCRA is enforced by the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB). Employers that fail to comply with FCRA requirements may face significant penalties, including fines ranging from USD 100 to USD 1,000 per violation if the violation is deemed willful. Additionally, employers may be subject to class action lawsuits, which can result in substantial financial liability.

In recent years, there has been an increase in enforcement actions related to FCRA compliance, particularly concerning the improper use of background checks and failure to follow adverse action procedures. Employers must be vigilant in their compliance efforts to avoid the risk of costly penalties and reputational damage.

Building a Defensible Compliance Program

To effectively manage FCRA compliance, organizations should develop a robust compliance program. This program should include the following steps:

Conduct a comprehensive risk assessment to identify potential compliance gaps.
Develop and implement clear policies and procedures for obtaining and using consumer reports.
Train employees involved in the hiring process on FCRA requirements and best practices.
Establish a process for handling disputes related to consumer reports.
Regularly review and update compliance policies to reflect changes in the law.
Maintain thorough documentation of all compliance-related activities.
Monitor compliance through regular audits and assessments.
Engage legal counsel or compliance experts to ensure ongoing adherence to FCRA requirements.

Practical Implementation Priorities

Policy development. Organizations should create detailed policies that outline the procedures for obtaining and using consumer reports. These policies should include guidelines for conducting background checks, handling disputes, and ensuring compliance with FCRA requirements.

Employee training. It is essential to provide training for HR personnel and hiring managers on FCRA compliance. This training should cover the importance of obtaining proper disclosures and authorizations, as well as the procedures for adverse actions and dispute resolution.

Vendor management. Employers must ensure that any third-party CRAs they engage are compliant with FCRA regulations. This includes conducting due diligence on vendors and obtaining written assurances of their compliance.

Regular audits. Organizations should implement a schedule for regular audits of their compliance practices. These audits should assess adherence to FCRA requirements and identify areas for improvement.

Run a Free Privacy Scan

Before building a compliance program, an automated scan of your public-facing properties identifies the gaps that carry the most immediate regulatory risk — undisclosed trackers, consent mechanism failures, data sharing without adequate notice, and policy misalignments. BD Emerson’s privacy scanner produces a detailed findings report against FCRA requirements within minutes.

Run your free scan or speak with a privacy expert to discuss your compliance obligations under FCRA and build a prioritized remediation plan.

Regulatory Crosswalk

Organizations subject to this regulation often operate under these overlapping frameworks: CCPA, ECOA, State ban-the-box laws. BD Emerson maps controls across frameworks to reduce duplicated compliance effort.

Regulatory Crosswalk

CCPAECOAState ban-the-box laws

Organizations subject to this regulation often operate under these overlapping frameworks. BD Emerson maps controls across frameworks to reduce duplicated compliance effort.

Evaluate your compliance posture now

BD Emerson's automated scanner audits your public-facing properties against your applicable regulations in minutes, not weeks.

Run Free Scan Speak to an Expert