Organization Risk: Background Checks Policies and Practices

Karbon Intel
2024-02-01

Are you following an observable and repeatable process regarding your HR practice for background checks? Does it have specific triggers, timelines, and metrics? Are your services transparent and following the Fair Credit Reporting Act (FCRA)?

Implications of the Fair Credit Reporting Act

The Consumer Credit Protection Act of the FCRA, also known as Title VI, is a law that aims to safeguard the information collected by consumer reporting agencies, such as credit bureaus and medical information companies, restricting the sharing of consumer reports with any unauthorized person unless they have a specific purpose as outlined in the Act while placing the burden on companies that provide information to consumer reporting agencies are legally obligated to investigate the disputed information.

Ten Things You Should Be Doing

Here are some questions you should ask yourself before conducting a background check and some things you should be aware of and follow as you do so:

  1. Written Policy Document: Develop a comprehensive written policy outlining the purpose, scope, and procedures for background checks. Clearly communicate the types of checks conducted, permissible information sources, and the decision-making process based on findings.
  2. Compliance with Laws: Ensure strict compliance with federal and state laws, including the FCRA and applicable anti-discrimination laws. Remain vigilant about changes in legislation that may impact background check practices.
  3. Consent and Disclosure Form: Obtain written consent from applicants or employees before conducting background checks. Provide a clear and separate disclosure form highlighting the intention to conduct such investigations and explaining their implications.
  4. Adverse Action Procedures: Establish a process for adverse action if negative information is discovered by providing individuals with a copy of the background report, a summary of their rights under the FCRA, and an opportunity to dispute inaccurate information.
  5. Data Security Measures: Create a robust security measure to safeguard sensitive information obtained during background checks. Take steps to prevent unauthorized access or breaches and ensure you are compliant with data protection regulations.
  6. Individualized Assessment: Adopt a nuanced approach when assessing background check results. Consider the nature of the offense, its relevance to the job, and the time elapsed since the occurrence. Avoid blanket exclusions based on criminal records.
  7. Regular Training Programs: Ensure proper training on the legal and ethical aspects of conducting background checks is given to all HR staff, hiring managers, and relevant personnel. Regularly update them on changes in laws and industry best practices.
  8. Record Retention Policy: Establish a clear policy regarding the retention and disposal of background check records. Comply with legal requirements on how long records should be kept and ensure secure disposal methods.
  9. Vendor Due Diligence: If you use third-party vendors for background checks, conduct thorough due diligence on their practices. Ensure they comply with legal requirements, maintain data security, and follow ethical standards.
  10. Periodic Review and Revision: Regularly review and update your background check policy to adapt to changes in laws, industry standards, and organizational needs. Ensure that your policies remain effective and legally compliant.

The Bigger Picture of Background Check Risks

If you are conducting background checks as a part of a more extensive pre-employment process, what are the things you are looking for specifically, what information will you use, and how will you apply what you learn to identify risk in a potential hire? You should have documented and reviewed these matters by counsel to follow state and federal law and guidelines. These aspects of your risk assessment are critical to not only the success of your business but also to preventing litigation. So let’s take it, for instance. Let’s say you’ve hired an employee, and the employee goes through a background check. It’s a part of your regular hiring process. After a couple of years, this employee resigns their position and leaves. They leave in good standing.

The many faces of danger n the workplace start with poorly executed background checks

A year later, the employee returns with new skills, takes or applies for an available position, and is offered that role pending a background check. As a former employee, they underwent a background check as part of the original hiring process. Will you execute a new background check? Are they exempt? Why? It is vital to the security and legal risk mitigation practice to have these questions covered in your process and policies. Any real or perceived loophole is risk exposure you want to avoid, as it can and often will lead to civil litigation.

…risk assessment are critical to not only the success of your business but also to preventing litigation.

Prior Planning Prevents Unnecessary Risk

Let’s review a less common practice that can protect organizations from insider threats, including fraud and embezzlement if done correctly. Picture this: You have an employee who has been with you for 20 years. In that time, they rose from shipping clerk to Senior Vice President of Finance. They have gained considerable knowledge and power in the organization and a “seat at the table,” providing counsel to the C-suite and board. A background check was conducted as part of the HR hiring process when they were first hired. Since then, there has been no further background check or vetting because you know this person; they have been with you for decades.

A person’s life and behavior can change dramatically in less than a decade. They may have accumulated enormous gambling debt, and the bad actors own money to have leverage over your employees. They may have participated in illicit activities that, if exposed, would damage the organization’s reputation. As part of a forward-looking risk exposure mitigation plan, consider including a background check policy with specific triggers such as promotions or length of time worked; make sure these policies align with state and federal law by vetting them with legal counsel.

When applying background checks as part of your organizational risk management strategies and planning, it’s best first to understand what it is about our organization that could be damaged, either through reputation or through some other scheme that could potentially expose the organization to loss of revenue or funds, loss of goods and services, loss of people, or loss of reputation. You can develop a risk v. reward model that guides a holistic security and risk plan by identifying these crucial and critical components of the organization’s risk exposure.

References

U.S. Equal Employment Opportunity Commission. Background Checks: What Job Applicants and Employees Should Know.https://www.eeoc.gov/laws/guidance/background-checks-what-job-applicants-and-employees-should-know

U.S. Equal Employment Opportunity Commission. Background Checks: What Employers Need to Know.https://www.eeoc.gov/laws/guidance/background-checks-what-employers-need-know

U.S. Federal Trade Commission. Fair Credit Reporting Act.https://www.ftc.gov/legal-library/browse/statutes/fair-credit-reporting-act

Categories: Due Diligence / Ethics / Fraud / Human Resources / HUMINT / Investigations / Risk Assessment