Background checks are a powerful risk-management tool, but only when they’re done correctly. Employers, schools, and organizations that fail to follow background check compliance laws can face fines, lawsuits, and reputational damage. This guide explains FCRA background check compliance in plain terms, focusing on what organizations must do to remain compliant.

What is Background Check Compliance?

Background check compliance means following all applicable laws and regulations when requesting, reviewing, and acting on background check information.

The primary law governing background checks is the Fair Credit Reporting Act (FCRA), which applies whenever an organization uses a third-party background screening provider.

Compliance typically requires organizations to:

• Provide proper disclosure before running a background check
• Obtain written authorization from the individual
• Use background information fairly and consistently
• Follow adverse action procedures when making negative decisions
• Protect sensitive personal data

What is the FCRA?

The Fair Credit Reporting Act is a federal law enacted in 1970 that regulates how consumer information (including background check data) is collected, used, and shared. It applies to employers, lenders, landlords, and anyone else who uses consumer reports to make eligibility decisions.

For employers, the FCRA governs the entire background screening process: how you must notify applicants, what consent you need, what steps to follow before rejecting someone based on their report, and what rights the candidate retains throughout.

Who enforces it? The Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB) both enforce the FCRA. Employers can also face private lawsuits from applicants, including class actions.

When Does the FCRA Background Check Apply?

The FCRA applies whenever an employer uses a Consumer Reporting Agency (CRA), a third-party company, to compile a background report. It does not apply to in-house background checks conducted without a third party.

It covers more than just full-time employees. The FCRA also applies when vetting:

• Part-time and seasonal employees
• Independent contractors and freelancers
• Temporary workers (even via staffing agencies)
• Volunteers (particularly in sensitive roles)
• Existing employees being considered for promotion or reassignment

Why Background Check Compliance Matters

1. It’s the Law

Failure to comply with the FCRA can result in regulatory penalties, lawsuits, and class-action claims.

2. Background Reports Can Contain Errors

Criminal records may be outdated or misattributed. Compliance ensures individuals have the right to dispute inaccuracies.

3. Compliance Reduces Legal Liability

Following required procedures demonstrates fairness and consistency, reducing exposure to negligent hiring or discrimination claims.

4. Schools and Youth Organizations Face Higher Scrutiny

Organizations working with children are often held to stricter compliance expectations.

5. Trust Depends on Fair Processes

Applicants and volunteers are more likely to trust organizations that follow transparent, lawful screening practices.

Disclosure & Consent Form Requirements

This is where most employers make their first mistake. The FCRA has very specific requirements for how you notify applicants and obtain consent, and getting the format wrong is enough to trigger a violation.

The Disclosure

Before ordering any background check, you must provide the applicant with a written disclosure stating that a consumer report may be obtained for employment purposes. The disclosure must:

• Be a standalone document, and it cannot be combined with the employment application, offer letter, or any other document
• Be clear, conspicuous, and written in plain language
• Not include liability waivers, extra legal language, or unrelated content
• State clearly that the report will be used to make employment decisions

Courts are strict on this. A disclosure bundled with an application, even on a separate page, has been found non-compliant. It must truly stand alone.

The Authorization

After receiving the disclosure, the applicant must provide written (or electronic) authorization before you run the check. The FCRA permits you to combine the disclosure and authorization into one standalone form, but it still cannot be attached to any other hiring document.

Certification to the CRA

Before the CRA delivers the report, you must certify to them that you:

• Provided proper disclosure to the applicant
• Obtained the applicant's written consent
• Will use the report only for lawful employment purposes

How FCRA Background Check Compliance Works 

Here are the steps you need to follow to do a compliant background check:

Step 1: Provide a Clear Disclosure

Give the individual a standalone disclosure stating that a background check will be conducted.

The disclosure must:

• Be clear and easy to understand
• Be separate from other documents
• Do not include liability waivers or extra language

Step 2: Obtain Written Authorization

You must receive written permission - often electronic - from the individual before proceeding.

Without authorization, running a background check is a compliance violation.

Step 3: Run the Background Check Through a Compliant Provider

Using free databases or DIY searches can lead to inaccurate results and legal risk.

A compliant provider should offer:

• FCRA-compliant workflows
• County-level criminal searches
• Identity and alias verification
• Secure data handling

Step 4: Review Results Fairly and Consistently

Organizations should evaluate background check results by considering:

• Nature of the offense
• Time since the offense
• Relevance to the role
• Evidence of rehabilitation
• EEOC hiring guidance

Step 5: Follow the Adverse Action Process (If Needed)

If you may deny employment, volunteer approval, or access based on a background check, you must follow adverse action procedures.

This includes:

• Sending a pre-adverse action notice
• Providing a copy of the report
• Allowing time to dispute
• Sending a final adverse action notice

The Adverse Action Process

The adverse action process is the most litigated part of FCRA compliance. Skipping or rushing any step is the most common reason employers face class-action suits.

Step 1: Pre-Adverse Action Notice

Before making any final negative decision, you must send the applicant a pre-adverse action notice that includes:

• A copy of the background check report
• A copy of the CFPB's "A Summary of Your Rights Under the Fair Credit Reporting Act."
• Notice that you are considering taking adverse action based on the report

2024 Update: The CFPB issued an updated version of the rights summary in April 2023, which became mandatory for employers to use from March 20, 2024. Employers using the old version after that date are in violation.

Step 2: Wait Period

After sending the pre-adverse action notice, you must give the applicant a reasonable amount of time to review the report and dispute any errors. The FCRA does not specify an exact number of days, but courts and compliance experts generally interpret it as at least 5 business days. Do not make your final decision before this period elapses.

Step 3: Final Adverse Action Notice

If you proceed with the negative decision after the waiting period, send a final adverse action notice to the applicant. This notice must include:

• The name, address, and phone number of the CRA that produced the report
• A statement that the CRA did not make the hiring decision and cannot explain it
• Notice that the applicant has the right to dispute inaccurate information with the CRA
• Notice that the applicant may obtain a free copy of their report from the CRA within 60 days
• Document everything. Retain copies of all disclosure forms, authorizations, reports, and adverse action notices. Both federal and state laws impose specific record retention requirements.

Candidate Rights Under the FCRA

Every applicant subject to a background check has the following rights, and your process must protect them:

• Right to know if a background check was or will be conducted
• Right to give or withhold consent before the check is run
• Right to receive a copy of their report before adverse action is taken
• Right to dispute inaccurate or incomplete information with the CRA
• Right to have disputed information reinvestigated
• Right to know the name and contact information of the reporting agency
• Right to a free copy of their report within 60 days of adverse action

EEOC Guidelines & Criminal Records

The FCRA governs how you run background checks. The EEOC governs how you use what you find, specifically when it comes to criminal history.

Protected Classes

Under Title VII and related laws enforced by the EEOC, employers cannot make hiring decisions that discriminate based on race, color, national origin, sex, religion, disability, age (40+), or genetic information.

Using Criminal Records

Employers may consider criminal records in hiring, but must do so carefully:

• A criminal record alone cannot automatically disqualify a candidate.
• Blanket "no criminal record" policies may violate Title VII if they disproportionately screen out protected groups.
• All candidates with similar records must be evaluated consistently. You cannot apply different standards based on race or national origin.

State-Specific Variations

The FCRA is a federal baseline; states can and do add additional restrictions. Employers must comply with both. Here are the most common state-level rules:

Common Background Check Compliance Mistakes

Organizations often fall out of compliance by:

• Skipping written consent
• Using non-compliant screening tools
• Failing to send pre-adverse action notices
• Acting too quickly before disputes are resolved
• Applying inconsistent decision criteria
• Not documenting screening decisions
• FTC business compliance guidance

FCRA Lookback Periods & Reportable Information

The FCRA limits how far back CRAs can report certain types of information for positions paying under $75,000 annually:

Note: These federal limits don't apply to positions with salaries above $75,000, and many states impose stricter limits regardless of salary. Always confirm what's reportable under applicable state law.

Benefits of Staying Compliant With Background Checks

Organizations that prioritize compliance gain:

• Reduced legal risk
• Fair and defensible hiring decisions
• Better applicant and volunteer experiences
• Stronger audit trails
• Increased trust from employees, parents, and communities
• Protection against discrimination claims

Get Support for FCRA Background Check Compliance With Bchex

Bchex helps organizations stay compliant by providing:

• FCRA-compliant disclosure and consent workflows
• Accurate, county-level criminal searches
• Built-in adverse action tools
• Secure data handling and reporting
• Compliance support for schools, nonprofits, and businesses

By standardizing the screening process, Bchex helps reduce human error and compliance gaps.

Conclusion

Background check compliance isn’t optional - it’s essential. By understanding and following FCRA requirements, organizations can protect themselves legally while ensuring fair, transparent screening practices.

Looking for a compliant screening solution you can trust?
Bchex provides FCRA-compliant background checks with built-in compliance safeguards to help organizations screen confidently.

FAQs About Background Check Compliance

Q: Does the FCRA apply to volunteers?
Yes - if a third-party background check provider is used.

Q: Can I run background checks without consent?
No. Written authorization is required under the FCRA.

Q: How long should I wait during adverse action?
Most organizations wait at least 5 business days.

Q: Are Google searches compliant background checks?
No - DIY searches are unreliable and non-compliant.

Q: Who enforces background check compliance?
The FTC and CFPB oversee FCRA enforcement.