Background Screening Best Practices for Employers
Ten compliance-focused best practices every employer should follow when running background checks — from FCRA authorization through adverse action and record retention.
Scott Galing
President, Do It Right Screening — 30+ years of industry experience
Obtain Written Authorization Before Screening
The FCRA requires employers to obtain a clear and conspicuous written disclosure and authorization from the applicant before ordering a consumer report. This must be a standalone document — not buried inside a job application. Failure to obtain proper authorization is one of the most common FCRA violations and can expose your organization to significant liability.
Use an FCRA-Compliant Consumer Reporting Agency
Not all background check providers operate under the same legal framework. Make sure your screening partner is a Consumer Reporting Agency (CRA) operating in compliance with the Fair Credit Reporting Act. A compliant CRA will follow proper permissible purpose requirements, provide applicants with their rights disclosures, and maintain data accuracy standards.
Apply Individualized Assessment — Never Auto-Reject
A criminal record alone should not automatically disqualify a candidate. EEOC guidance and many state laws require employers to assess the nature of the offense, the time elapsed, and the relevance to the specific job. Document your individualized assessment process. Blanket exclusions for criminal history can constitute illegal discrimination.
Follow the Two-Step Adverse Action Process
If background check results may negatively affect a hiring decision, you must follow the FCRA's two-step adverse action process: (1) provide a pre-adverse action notice with a copy of the report and a summary of rights, then allow a reasonable waiting period; (2) if you proceed, send a final adverse action notice. Skipping either step is a common — and costly — compliance failure.
Know Your State and Local Laws
Federal FCRA requirements set the floor — many states and cities add additional obligations. Ban-the-box laws restrict when you can ask about criminal history. Some states limit how far back a background check can look (California: 7 years for most offenses). Others require specific language in your adverse action notices. Always verify the rules for every jurisdiction where you hire.
Tailor the Screening Package to the Role
A warehouse associate and an executive with financial authority present very different risk profiles. Build screening packages that match the position — credit reports for roles handling funds, driving records for roles requiring vehicle operation, professional license verification for regulated professions. Screening everyone the same way either over-screens low-risk roles or under-screens high-risk ones.
Implement a Written Screening Policy
Document your screening program in a formal written policy that covers which positions are screened, what components are included, how results are evaluated, and who is responsible for compliance decisions. A written policy protects the organization in disputes, ensures consistent application, and demonstrates good faith to regulators and auditors.
Train HR and Hiring Managers on FCRA Requirements
Background check compliance is not just the responsibility of the screening vendor — your HR team and hiring managers must understand the rules. Annual training on FCRA obligations, adverse action procedures, and state-specific requirements reduces the risk of uninformed decisions that create liability.
Consider Ongoing or Periodic Re-Screening
Pre-employment screening only captures what was on record at the time of hire. For roles in healthcare, financial services, transportation, or childcare, periodic re-screening is a best practice — and in some cases a regulatory requirement. Annual MVR reviews for drivers and ongoing criminal monitoring for sensitive roles are common examples.
Retain Screening Records Appropriately
The FCRA and EEOC guidance require you to retain employment records — including background check results — for a minimum of one year from the date of the decision (two years for federal contractors). Many employers retain records longer as a best practice. Establish a consistent retention and destruction schedule, and ensure background check reports are stored securely with limited access.
Frequently Asked Questions
What is the biggest FCRA compliance mistake employers make?
The most common mistake is skipping or combining steps in the adverse action process — either not sending a pre-adverse notice before making a final decision, or not giving the applicant enough time to respond. This is a frequent source of class-action FCRA lawsuits.
Can I use the same background check package for every position?
You can, but it is not recommended. A one-size-fits-all package often over-screens low-risk roles (unnecessary cost and delay) and under-screens high-risk roles (missed risk exposure). Tailoring components to the specific job responsibilities is both more cost-effective and more defensible.
How long should I wait between the pre-adverse and final adverse action notices?
The FCRA does not specify an exact number of days, but most compliance experts recommend a minimum of five business days. Some states require longer waiting periods. The purpose is to give the applicant a reasonable opportunity to review the report and dispute any inaccuracies.
Does ban-the-box apply to every employer?
No — ban-the-box laws vary by state, city, and employer size. Some apply only to public employers, others to all employers above a certain headcount, and some only restrict when you can ask (not whether you can ask at all). Always verify the specific rules for each location where you hire.
Ready to Build a Compliant Screening Program?
Our team will help you build a screening process that protects your organization and meets every FCRA requirement.
Get a Free Consultation