Background Check Compliance

Background check compliance governs the legal framework employers must follow when screening job applicants and employees through criminal history, credit, identity, and other investigative records. Federal statutes, Equal Employment Opportunity Commission guidance, and a patchwork of state laws impose specific notice, consent, and adverse action requirements that vary by industry and jurisdiction. Non-compliance exposes employers to civil liability, regulatory enforcement, and class-action risk under the Fair Credit Reporting Act. This page covers the definition and scope of background check compliance, the step-by-step process employers must follow, common application scenarios, and the decision boundaries that determine lawful from unlawful screening practices.

Definition and scope

Background check compliance refers to the body of rules that regulate how employers collect, use, and act upon investigative consumer reports about workers or applicants. The primary federal statute is the Fair Credit Reporting Act (FCRA), codified at 15 U.S.C. § 1681 et seq., which the Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB) jointly enforce (CFPB, FCRA Overview). When an employer uses a third-party consumer reporting agency (CRA) to conduct a background check, FCRA applies regardless of employer size.

Overlapping requirements come from EEOC compliance requirements under Title VII of the Civil Rights Act of 1964, which prohibits blanket exclusion policies that produce disparate impact on protected classes. The EEOC's 2012 Enforcement Guidance on the Consideration of Arrest and Conviction Records (EEOC Notice 915.002) is the controlling federal policy document on how criminal history may be used in hiring decisions.

State-level scope expands significantly beyond FCRA. As of 2023, 37 states and the District of Columbia have enacted "ban-the-box" laws that restrict or delay criminal history inquiries (National Employment Law Project, Ban the Box). California's Investigative Consumer Reporting Agencies Act (ICRAA) and Consumer Credit Reporting Agencies Act (CCRAA) impose additional disclosure and permissible-purpose requirements beyond federal minimums.

Scope also varies by record type. Background checks commonly include criminal records, credit history, employment verification, education verification, motor vehicle records, and sex offender registry checks. Each category carries distinct permissible-use standards.

How it works

FCRA compliance for employer-conducted background checks follows a mandatory sequence of discrete steps:

1. Disclosure: Before procuring a consumer report, the employer must provide the applicant a clear and conspicuous written disclosure that a background check will be conducted. FCRA requires this disclosure to appear in a document consisting solely of the disclosure — no additional waiver or release language may be bundled into it (15 U.S.C. § 1681b(b)(2)(A)).
2. Written authorization: The applicant must provide signed authorization before the report is ordered.
3. Certification to the CRA: The employer certifies to the reporting agency that it has complied with disclosure and authorization requirements and that the information will not be used in violation of equal opportunity laws.
4. Pre-adverse action notice: If the employer intends to take an adverse employment action based on the report, it must first provide the applicant a copy of the report and the Summary of Rights Under the FCRA (FTC, FCRA Summary of Rights).
5. Waiting period: A reasonable period — the FTC has historically referenced five business days as a benchmark, though FCRA does not specify an exact number — must pass before the final adverse action is taken.
6. Final adverse action notice: The employer must notify the applicant of the adverse action, identify the CRA that provided the report, and inform the applicant of their right to dispute the report's accuracy with the CRA.

Employers who conduct background checks through internal means (public court record searches, reference calls) without using a CRA are not governed by FCRA but remain subject to EEOC guidance and applicable state statutes.

Recordkeeping obligations under compliance recordkeeping requirements apply: FCRA records related to adverse action must be retained, and EEO-related records generally carry a one-year minimum retention period under EEOC regulations at 29 C.F.R. § 1602.

Common scenarios

Scenario 1 — Standard pre-employment screen: An employer hires a CRA to run a criminal background and employment verification check on a finalist candidate. Full FCRA disclosure, authorization, and adverse action procedures apply.

Scenario 2 — Credit history check for financial roles: Employers in banking, accounting, or positions with fiduciary access to funds may review credit reports under FCRA's permissible-purpose provisions. Seven states — including California, Maryland, and Illinois — restrict credit checks for most non-financial positions, requiring employers to confirm positional justification before ordering the report.

Scenario 3 — Continuous or post-hire monitoring: Employers in transportation, healthcare, and security industries often conduct ongoing criminal record monitoring for current employees. FCRA's disclosure and authorization requirements apply each time a new consumer report is procured.

Scenario 4 — Staffing agency placements: When a staffing agency places workers with client companies, the agency typically acts as the employer of record for FCRA compliance purposes and must complete the full disclosure-authorization-adverse action cycle before the client company makes a placement decision.

Decision boundaries

The central compliance distinction is between a per se exclusion policy and an individualized assessment. EEOC guidance prohibits automatic disqualification based solely on the existence of a criminal record and requires employers to evaluate at minimum: the nature and gravity of the offense, the time elapsed since the offense or sentence completion, and the nature of the job sought. This three-factor framework derives directly from the EEOC's 2012 Guidance.

A second boundary separates arrest records from conviction records. An arrest without a conviction is not evidence of criminal conduct under EEOC policy. Using an arrest record alone as a basis for adverse action creates significant disparate impact exposure under Title VII.

A third boundary concerns lookback periods. FCRA limits CRA reporting of most criminal convictions to 7 years for positions with an annual salary below $75,000 (15 U.S.C. § 1681c). Positions above that threshold carry no FCRA-imposed lookback cap, though state law may impose shorter windows.

Employers with federal contracts have an additional layer through OFCCP compliance requirements, which can affect how criminal history screening interacts with affirmative action obligations. Positions requiring federal security clearances operate under separate adjudicative guidelines issued by the Office of the Director of National Intelligence.

References

• Federal Trade Commission — Fair Credit Reporting Act (FCRA)
• Consumer Financial Protection Bureau — Consumer Reporting Overview
• EEOC Enforcement Guidance on Arrest and Conviction Records (2012), Notice 915.002
• National Employment Law Project — Ban the Box Policy Resource
• 15 U.S.C. § 1681 — Fair Credit Reporting Act (full text)
• 15 U.S.C. § 1681c — FCRA Reporting Limitations
• 29 C.F.R. § 1602 — EEOC Recordkeeping Regulations