Employee Background Check Compliance Guide

Quick answer

Federal FCRA compliance requires a clear disclosure, written authorization, and a two-step adverse action process before taking any adverse employment action based on a background check. Many states add stricter requirements: longer notice periods, additional consent rules, and ban-the-box timing restrictions. Always check state law for the candidate's state of employment, not just the employer's headquarters.

FCRA: the federal baseline

The Fair Credit Reporting Act (FCRA) regulates the use of "consumer reports" (including background checks) in employment decisions. It applies whenever an employer uses a third-party Consumer Reporting Agency (CRA) — not for checks done entirely in-house. All major background check vendors are CRAs subject to FCRA.

Core FCRA requirements for employers:

Requirement	What it means
Standalone disclosure	You must provide a clear, conspicuous disclosure that a background check may be obtained. It must be a standalone document — not buried in an application or employee handbook.
Written authorization	The candidate must sign an authorization before the CRA runs the check. Electronic signatures are acceptable.
Pre-adverse action notice	Before taking adverse action (rejection, rescission of offer), you must provide the candidate with a copy of the report and the FCRA Summary of Rights.
Reasonable waiting period	The candidate must have a reasonable opportunity to dispute the report before final adverse action. The FTC suggests at least 5 business days, though this is not codified federally.
Adverse action notice	After the waiting period, if you proceed with adverse action, send a formal adverse action notice identifying the CRA, stating the CRA did not make the decision, and informing the candidate of their dispute rights.

FCRA violations carry civil liability — up to $1,000 per violation for negligent violations and actual damages plus punitive damages for willful violations. Class actions for systemic FCRA violations are common and have resulted in multi-million dollar settlements against major employers.

State mini-FCRA laws

Many states have enacted their own consumer protection laws that add requirements beyond the federal FCRA. These are sometimes called "mini-FCRA" laws. Key states with significant additional requirements:

State	Key additional requirements
California	Investigative consumer report rules under ICRAA (Civil Code 1786); 7-year lookback for most adverse information; specific salary history and credit check restrictions; IWC Order requirements
New York	Article 23-A limits use of criminal records; NYC Fair Chance Act requires conditional offer before criminal inquiry; 5-business-day pre-adverse action period minimum
Massachusetts	CORI (Criminal Offender Record Information) reform law; specific employer certification required to access CORI; limits on what records can be accessed and used
Washington	Fair Chance Act (HB 1045); ban-the-box applies to employers of 8+; individualized assessment required before denying employment based on criminal record
Colorado	CCIA limits criminal record inquiries to after conditional offer; individualized assessment required; sealing law for certain arrest records

Always check the law in the state where the employee will be working, not just where the employer is headquartered. For remote roles, the employee's state of residence typically governs.

Ban-the-box laws

"Ban-the-box" refers to laws that prohibit employers from asking about criminal history on the initial job application — delaying the inquiry until later in the hiring process. The goal is to give applicants with criminal records an opportunity to be evaluated on their qualifications first.

As of 2026, over 35 states and 150+ cities and counties have enacted some form of ban-the-box restriction. The most restrictive versions (such as NYC's Fair Chance Act) require a conditional offer of employment before any criminal background check is run at all.

Key compliance points for ban-the-box laws:

Do not include criminal history questions on the initial application form
Remove checkboxes asking whether the applicant has ever been convicted of a crime
In jurisdictions requiring it, delay all criminal inquiries until a conditional offer is made
In some jurisdictions (NYC, Philadelphia, Seattle), conduct an individualized assessment before rejecting based on criminal history
Some jurisdictions explicitly exclude certain positions (law enforcement, healthcare with patient contact, positions involving access to vulnerable populations)

The individualized assessment requirement

Many jurisdictions now require employers to conduct an individualized assessment before taking adverse action based on criminal history. This means evaluating:

The nature and severity of the offense
The time elapsed since the offense
The nature of the job being sought (is there a direct relationship between the offense and job duties?)
Any evidence of rehabilitation or good conduct
The age of the individual at the time of the offense

A blanket policy of rejecting all applicants with criminal records — regardless of the nature of the offense or how long ago it occurred — creates both legal exposure under EEOC guidance (which treats such policies as potentially discriminatory) and violation risk in jurisdictions with individualized assessment requirements.

Credit and financial record checks

Credit checks in hiring are specifically regulated. Under the FCRA, credit report use requires the same disclosure and authorization process as criminal background checks. But many states additionally restrict when credit checks can be used at all — limiting them to positions with direct financial responsibility or access to financial accounts.

States restricting employment credit checks include California, Colorado, Connecticut, Delaware, Hawaii, Illinois, Maryland, Nevada, Oregon, Vermont, and Washington (among others). The restrictions typically allow credit checks only for specific role types and require written notice to the applicant when a credit check is used.

Education and credential verification: where background checks end and VerifyED begins

Standard background check vendors typically confirm degree completion by contacting the school's registrar — but this does not verify that the institution granting the degree is legitimate or accredited. A degree from an unaccredited diploma mill will pass a standard background check because the school actually issued the credential.

Credential verification requires a separate step: confirming that the awarding institution is legitimate, regionally or nationally accredited by a recognized agency, and not on a diploma mill or debarment list. This is especially critical for licensed professions (nursing, medicine, law, engineering) where the underlying educational credential determines licensing eligibility.

Compliance checklist

1. Use a compliant standalone FCRA disclosure form — not part of the job application
2. Obtain written authorization before running any background check through a CRA
3. Check ban-the-box laws for the applicant's state and city — remove criminal history questions from applications if required
4. Follow the two-step adverse action process: pre-adverse notice with report + waiting period, then formal adverse action notice
5. Conduct individualized assessments in jurisdictions that require them before rejecting based on criminal history
6. Limit credit checks to positions that legally justify them under state law
7. Supplement background checks with credential verification — confirm educational institutions are legitimate and accredited, not just that a degree was issued
8. Train HR staff on the applicable adverse action process — FCRA class actions often result from procedural failures, not false information

Verify educational credentials as part of your background check process

Standard background checks confirm that a degree was issued — they do not verify that the issuing institution is legitimate or accredited. Use VerifyED to screen educational credentials for diploma mills and unaccredited institutions before making hiring decisions.

Search Schools and Accreditation →