What the FCRA covers in employment screening
The Fair Credit Reporting Act, enacted in 1970 and substantially amended since, governs the use of consumer reports in employment decisions. In the recruitment context, it applies whenever an employer uses a consumer reporting agency (CRA) — a third-party company that assembles and evaluates information about individuals from multiple sources — to obtain background information about a candidate. This includes criminal history checks, credit history checks, employment and education verification, professional licence verification, driving record searches and civil court searches, when obtained through a CRA rather than compiled directly by the employer.
The FCRA creates procedural requirements that must be followed before a background check is ordered and, if the results lead to a negative decision, before and after that decision is implemented. These requirements are not suggestions or best practices — they are mandatory legal obligations enforced by the Federal Trade Commission, the Consumer Financial Protection Bureau and through private right of action by candidates themselves.
The enforcement consequences are substantial. Willful FCRA violations entitle the affected individual to statutory damages of $100 to $1,000 per violation, actual damages, punitive damages and attorney's fees. FCRA class action litigation has become a significant area of employment law, with settlements regularly exceeding $5 million for employers who failed to use properly formatted disclosure documents or skipped the pre-adverse action notice process across hundreds or thousands of candidates. The per-candidate nature of FCRA violations means that a systemic procedural defect can produce enormous aggregate liability.
Many employers misunderstand the scope of FCRA coverage. The Act applies whether the background check is conducted as part of the initial application process, after a conditional offer of employment, or at any other point in the hiring process. It also applies to background checks conducted on existing employees, independent contractors (in some circumstances) and volunteers. Understanding what triggers FCRA coverage is the first step in building a compliant screening programme.
The Pre-Adverse Action Notice: Why It Matters
Before taking adverse action based on a background check, you must provide the candidate with a copy of the report and a summary of their rights, with a reasonable waiting period (typically 5-7 business days) to dispute inaccurate information. Skipping this step is one of the most commonly litigated FCRA violations. The purpose is to allow candidates to identify and correct errors in the report before a hiring decision is finalised — background checks contain inaccuracies more frequently than employers assume, and a candidate who is rejected based on a mistaken identity or data error has suffered a real and remediable harm.
Disclosure requirements before ordering a background check
Before an employer may procure a consumer report for employment purposes, the FCRA requires that the employer make a clear and conspicuous disclosure to the candidate, in writing, that a consumer report may be obtained for employment purposes. This disclosure must consist solely of the disclosure itself — the "standalone" requirement — and cannot be embedded in an employment application, an employee handbook, or any document that also contains other information such as waivers, liability releases or company policies.
Courts have interpreted the standalone requirement strictly, and it has generated substantial FCRA litigation. Disclosure documents that appear on the same page as application questions, that include a liability waiver for the employer, that reference the company's background check policy, or that are buried within a longer onboarding packet have all been found non-compliant in class action proceedings. The safest approach is a single-page document containing only the required disclosure language and nothing else.
The disclosure must be clear and conspicuous — meaning it must be presented in a way that a reasonable person would notice and understand. Small font, dense legal language, or placement at the bottom of a lengthy document after other content may satisfy the technical presence of a disclosure while failing the conspicuousness requirement. The CFPB has indicated that disclosure documents should be written in plain language and formatted for easy comprehension.
State laws add additional layers of disclosure complexity. Several states require additional disclosures, impose limitations on the use of specific types of background information, or require that candidates be notified of background check results regardless of whether an adverse decision is made. California, New York, Washington and Illinois are among the most active states in this area. Employers operating in multiple states must ensure their disclosure process complies with the most restrictive applicable requirements.
Written authorisation: what it must contain
In addition to providing the disclosure, the employer must obtain the candidate's written authorisation before procuring the consumer report. The FCRA treats disclosure and authorisation as distinct requirements, though in practice they are typically combined in a single document — the disclosure is provided, and the candidate signs to indicate they have received it and authorise the check.
The written authorisation must be obtained before the background check is ordered, without exception. Obtaining authorisation after the report has been procured is a FCRA violation, regardless of whether the candidate would have authorised the check if properly asked in advance. The sequence is mandatory: disclosure, then authorisation, then report procurement.
The authorisation must be genuinely voluntary. An employer who conditions consideration for employment on signing the authorisation is in a legally grey area — courts have generally held that employers may make background check authorisation a condition of employment, but the authorisation must still be presented as a discrete, informed decision rather than buried in a stack of papers presented simultaneously with the offer letter. Candidates must have a meaningful opportunity to read and understand what they are authorising.
Some employers attempt to obtain a blanket standing authorisation that covers background checks throughout employment — both pre-hire and during employment. Whether this approach satisfies the FCRA is disputed, and several states have found it insufficient. The safest practice is to obtain a fresh, specific authorisation each time a consumer report is procured.
Background Check Workflow in Treegarden
Treegarden's structured background check workflow guides HR teams through every FCRA-required step: disclosure tracking confirms the standalone document was sent, authorisation collection records the signed consent with timestamp, and the workflow advances to the screening stage only after both requirements are confirmed. Each step is documented in the candidate record, creating the audit trail required to demonstrate procedural compliance.
Pre-adverse action notice: the step most employers miss
The pre-adverse action notice is the FCRA requirement that generates the most litigation and the most preventable liability. Before taking any adverse action — including withdrawing a conditional offer of employment, declining to hire, or moving a candidate to an inactive status — based in whole or in part on information in a consumer report, the employer must first provide the candidate with a pre-adverse action notice containing two specific items: a copy of the consumer report itself, and a copy of the FTC's "A Summary of Your Rights Under the Fair Credit Reporting Act" notice.
The purpose of this requirement is clear: it gives the candidate an opportunity to review the report and identify any inaccuracies before a final decision is made. Background reports contain errors with significant frequency — cases of mistaken identity, outdated records that should have been expunged, and inaccurate information provided by data sources are all documented. A candidate who is rejected based on a criminal record that belongs to someone else with a similar name, or based on a conviction that was later expunged, has been harmed by information they were never given the opportunity to dispute.
After providing the pre-adverse action notice, the employer must give the candidate a reasonable period of time — the FCRA does not specify an exact timeframe, but the FTC and employment law practitioners generally treat five to seven business days as the minimum — before implementing the adverse decision. During this period, the candidate may contact the CRA to dispute inaccurate information, and the CRA is obligated to investigate. If the dispute is resolved in the candidate's favour, the employer must reconsider its decision in light of the corrected report.
Many employers skip the pre-adverse action notice because they consider the background check result decisive and obvious. This is a legal error regardless of the severity of the finding. A candidate who commits armed robbery cannot argue that the information in their criminal background check is inaccurate — but the FCRA process must still be followed, and the pre-adverse action notice must still be provided, because the requirement is procedural rather than substantive.
The adverse action process step by step
After the waiting period following the pre-adverse action notice has elapsed and the employer has determined to proceed with the adverse decision, the employer must send a final adverse action notice to the candidate. Unlike the pre-adverse action notice, this document communicates the final decision. The FCRA specifies what this notice must contain: a statement that adverse action has been taken based in whole or in part on information obtained from a consumer reporting agency; the name, address and phone number of the CRA that provided the report; a statement that the CRA did not make the adverse decision and cannot provide the specific reasons for it; and notice of the candidate's right to obtain a free copy of the report within 60 days and to dispute the accuracy of the report with the CRA.
The adverse action notice does not require the employer to explain why the specific background check finding was disqualifying. The employer does not need to identify which conviction, which civil record or which verification failure drove the decision. The notice informs the candidate that background check information was a factor, identifies the CRA, and explains their rights — it does not require a substantive explanation of the hiring decision itself.
The complete FCRA adverse action process, from disclosure through final adverse action notice, must be documented in a way that allows the employer to demonstrate compliance if challenged. Key documentation includes: the date the disclosure was provided and to whom; the date the authorisation was signed; the date the report was ordered; the date the pre-adverse action notice was sent and its contents; the date the waiting period ended; and the date the final adverse action notice was sent. Each of these records should be retained as part of the candidate file.
Adverse Action Tracking in Treegarden
Treegarden tracks pre-adverse and adverse action notice delivery dates, candidate response windows and final decision documentation within the ATS workflow. Automated reminders flag when the waiting period has elapsed, ensuring HR teams do not inadvertently implement adverse decisions before the FCRA timeline is satisfied. All notice records are stored in the candidate file with timestamps, preserving the audit trail for the full background check compliance sequence.
The most common FCRA violations and their consequences
FCRA class action litigation has identified a consistent set of violations that recur across employers of all sizes and industries. Understanding these common failure modes is the most effective way to avoid them.
Non-standalone disclosure documents represent the most commonly litigated violation. Employers who embed their FCRA disclosure within employment applications, onboarding packets, or multi-section consent forms face class action exposure for every candidate who received the non-compliant document — potentially thousands of individuals over several years of recruiting activity. The monetary exposure per violation (statutory damages of $100-$1,000 for willful violations) multiplied across a large applicant pool produces settlement demands in the tens of millions even for procedural defects that caused no individual candidate any direct harm.
Skipping the pre-adverse action notice is the second most common violation, and often the one with the most sympathetic individual plaintiff. Candidates who were rejected based on inaccurate background check information, who were never given the opportunity to dispute that information, and who can demonstrate resulting financial harm represent the most damaging FCRA cases for employers — combining procedural violations with actual damages.
Ordering background checks before obtaining signed authorisation, using consumer reports for purposes beyond employment decisions, failing to provide notice when a background check is ordered on an existing employee, and ignoring candidate disputes of background check inaccuracies all appear with regularity in FCRA enforcement actions. Each represents a distinct violation that can generate independent liability.
Use the Same Background Check Provider for All Roles
Inconsistent use of background checks — some candidates checked, others not, without documented criteria — creates disparate impact risk under both FCRA and Title VII. Apply screening consistently based on role type, not candidate. Document the written policy that specifies which roles require which types of background checks, and apply it uniformly across all candidates for those roles. When criminal history screening is involved, follow EEOC guidance on individualized assessment before making adverse decisions, and comply with applicable "ban the box" laws that restrict when in the hiring process criminal history may be considered.
How your ATS supports FCRA compliance workflow
FCRA compliance in pre-employment background screening is fundamentally a process management challenge. The requirements are specific, sequential and documented — which makes them well-suited to workflow automation in an ATS. An ATS that integrates background screening into the candidate pipeline can enforce the required sequence of steps, document completion of each step automatically, and generate the notices required at each stage.
The most important ATS contribution to FCRA compliance is documentation: creating a timestamped, auditable record of every step in the background check process for every candidate. When an FCRA claim is filed, the employer must be able to demonstrate that each step was completed in the correct sequence. Paper-based processes and email chains frequently fail this test due to gaps, delays in filing, and the difficulty of reconstructing a complete timeline from distributed records.
Workflow gates in the ATS — stages that cannot be advanced until required steps are confirmed complete — prevent the most common process failures. An ATS that requires confirmation that the standalone disclosure was sent and the authorisation received before allowing the background check order to be placed prevents the sequencing violations that generate FCRA liability. An ATS that generates a pre-adverse action task when a background check result comes back with findings requiring review prevents the pre-adverse action notice from being skipped in the press of daily recruiting volume.
Document Storage for FCRA Records in Treegarden
Treegarden stores signed disclosure forms, authorisations and adverse action notices in the candidate record with timestamps for compliance audit. Documents are retained in the candidate file and linked to the background check workflow stage at which they were executed. The complete background check compliance history — from initial disclosure through final adverse action notice — is accessible in a single view, making compliance audits and response to FCRA claims straightforward.
Frequently asked questions about FCRA compliance in background checks
Does the FCRA apply if we conduct background checks ourselves?
No. The FCRA applies specifically to consumer reports obtained through consumer reporting agencies (CRAs) — third-party companies that compile and sell background information. If an employer conducts its own background research (for example, searching public court records directly), the FCRA's disclosure, authorisation and adverse action requirements do not apply. However, employers conducting their own research are still subject to other laws, including Title VII's ban on discriminatory use of criminal history, and applicable state laws. Many states have enacted their own background check laws that apply regardless of whether a CRA is used.
How long must we retain FCRA compliance documents?
The FCRA itself does not specify a retention period for compliance documents, but EEOC regulations require employers to retain personnel records — including records related to hiring decisions — for a minimum of one year from the date of the decision, or until a charge of discrimination is resolved, whichever is later. Many employment attorneys recommend retaining background check authorisations, reports and adverse action notices for at least five years, given the statute of limitations for FCRA civil claims. Building document retention into the ATS workflow ensures compliance documentation is preserved automatically.
What is a "standalone" disclosure document under the FCRA?
The FCRA requires that the disclosure provided to a candidate before ordering a background check consists "solely" of the disclosure — it cannot be embedded in an employment application, combined with other consent forms, or surrounded by other terms and conditions. Courts have interpreted this "standalone" requirement strictly: a disclosure that appears on the same page as a liability waiver, for example, has been found non-compliant, even if the disclosure itself was clearly written. The safest approach is a single-page document that contains only the FCRA disclosure and nothing else — not a company logo, not a header with the company's terms, nothing beyond the required disclosure language.
Can we withdraw a job offer based on a background check without going through the adverse action process?
No. If the decision to withdraw an offer is based in whole or in part on information in a consumer report obtained from a CRA, the full FCRA adverse action process applies: pre-adverse action notice with copy of the report and summary of rights, a waiting period of typically 5-7 business days, and final adverse action notice. Withdrawing an offer without following this process, even informally, constitutes a FCRA violation. The process cannot be shortened because the employer considers the background check result obvious or severe — the procedure is mandatory regardless of the nature of the finding.