Protecting Your Company: Why Choosing An Accredited Screening Provider Matters
The businesses that thrive, cultivate and leverage strategic partnerships with industry providers they can trust. No one—and no start-up—is an island. When it’s time to link up with a third-party vendor, you need an organization you can depend on not only to deliver products and services in a timely fashion but to do so while adhering to industry-best standards and regulations. Otherwise, you risk exposing your company to penalties you never bargained for.
Choosing an employee background screening provider, also known as consumer reporting agencies (CRAs), comes with particularly high stakes. The reason you’re hiring one in the first place is to properly vet your job applicants. Above all things, you want to avoid a “bad hire,” someone untrustworthy or unqualified who might prove to be a liability or impediment to a safe, productive, and litigation-free work environment. Likewise, you’re looking for a screening provider that will conduct a thorough and accurate investigation of your candidates at a reasonable price and with efficient turnaround times. But there’s something else that can go overlooked next to temptingly low costs, accurate reports, and promises of next-day background check reports, and that’s the provider’s accreditation status.
The Vital Importance of PBSA Accreditation
In the interest of protecting applicants as well as the companies that screen and hire them, the screening industry is governed by an ever-adapting and growing set of regulations. Complying with these regulations is of paramount concern for HR and hiring departments—or should be—as noncompliance can lead to significant if not crippling legal penalties.
The body that ensures screening providers (CRAs) have achieved all appropriate benchmarks is the Professional Background Screening Association (PBSA). To be accredited with this agency means that the provider’s processes, policies, and site of operations have been personally verified (i.e., rigorous third-party desk and onsite audits and evaluations) to meet the highest standards for the following criteria:
- Information Security
- Legal and Compliance
- Client Education
- Researcher and Data Standards & Capabilities
- Verifications Services Standards & Capabilities
- Business Practices
The PBSA offers a specialized program for CRAs to follow in an effort to achieve initial and ongoing compliance with the above criteria called the Background Screening Agency Accreditation Program (BSAAP). This program is widely recognized as the industry’s gold standard for excellence and outlines stringent requirements and measurements that the CRA must strive to meet in order to receive the NAPBS “seal of approval.”
Quality in the Details
During the evaluation of a CRA, the third-party accreditation and auditing firm will require the CRA to provide documentation of policies and processes as well as visible proof of compliance in action. Employers can rest assured that there is no cutting corners with NAPBS accreditation. In fact, CRAs must complete this process every five years in order to maintain their accreditation.
How to Screen a Screening Provider
The BSAAP brings microscopic focus to the six critical criteria that comprise an operating CRA. The question is how well the CRA demonstrates competence and compliance in each area.
Information Security
How seriously does the CRA take the security of the sensitive information they use to do business? Where and how is Personally Identifiable Information (PII) held or stored? Wherever it is held (hosted internally or externally), the entity must have completed an audit(s) conducted by a qualified security assessor and hold current certification that proves potential vulnerabilities have been adequately addressed.
Additionally, the CRA must be found to demonstrate the following elements and measures to further defend PII in their possession. (At minimum, all the following procedures must meet applicable legal and regulatory requirements.)
- A written information security policy that is specifically implemented, managed, and enforced by designated individuals.
- Data security procedures to prevent, detect, investigate, and respond to intrusion of physical and electronic data.
- Measures to appropriately encrypt or protect all stored and backed up data.
- Defined access protocols for physical and electronic consumer information (or PII) that administers access rights to applicable personnel based on business necessity and is regularly updated to reflect personnel and system changes.
- Physical security measures to control access to all CRA facilities.
- A written and electronically available (accessible via website) consumer information privacy policy that clearly outlines the purpose of PII collection, its intended use, and how said data will be shared, stored, and destroyed.
- Measures to strictly prohibit unauthorized browsing of PII by CRA employees outside of business necessity.
- Procedures and policy to destroy (make unrecoverable) records containing PII when no longer required for business purposes.
- Measures to enforce sensitive data masking (e.g., truncated SSNs) while in possession of the CRA and when transmitted to applicable and certified end users.
Legal and Compliance
Does the CRA observe and comply with all provisions, laws, and regulations as outlined by the federal Fair Credit Reporting Act (FCRA)? How knowledgeable is the CRA about applicable consumer reporting and employment laws in your locality? This section of screening your would-be CRA is crucial. Noncompliance in any of these areas can put your company in legal hot water.
Additionally, the CRA must demonstrate the following elements and measures to prove total compliance with applicable laws and regulations:
- A designated individual who is responsible for ensuring the CRA’s ongoing compliance with federal FCRA standards as they pertain to the dissemination of consumer reports for employment purposes.
- A designated individual who is responsible for ensuring the CRA’s ongoing compliance with state consumer reporting laws.
- A designated individual who is responsible for ensuring the CRA’s ongoing compliance with the Driver Privacy Protection Act (DPPA), including state implementations of the act, in the event that the CRA provides consumer reports containing DPPA-relevant information.
- Integrity policy that prohibits the CRA’s engaging in bribery or fraudulent activity with public and government officials for preferential treatment.
- Set procedure for providing up-to-date prescribed notices to clients as outlined by the FCRA and the Consumer Financial Protection Bureau (CFPB).
- Measures to obtain signed agreement, certification, or affirmation from client that confirms they will comply with applicable laws and regulations regarding consumer reports.
- Procedure for informing clients of their legal responsibilities and required forms and documents in the procuring and handling of consumer reports.
- Procedure for informing clients of their responsibility to develop legally compliant processes for disclosing pertinent FCRA information to consumers, obtaining written authorization before requesting a report from the CRA, and taking adverse action based on findings. CRA must also recommend the client consult with their own legal counsel.
- A procedure for handling and documenting consumer disputes.
- When reporting potentially adverse public record information, such as criminal records, the CRA must act in one of two ways according to the FCRA: 1) follow strict procedures for ensuring the accuracy of reported information, or 2) inform the consumer when the report was issued and to whom (name and address of the CRA client).
- Reliable measures to confirm the identity of the consumer being investigated.
- Measures to properly and efficiently supply consumer with their full report when requested.
- Access to a subject matter expert on jurisdictional court differences and courtroom terminology in the event that the CRA reports court records.
- Quality control mechanisms in place, including a designated individual responsible for QC, for preventing, auditing, analyzing, and responding to inaccurate consumer information when it occurs, especially when using automated reporting systems.
Client Education
How well does the CRA communicate your role in interpreting and implementing the consumer reports they provide? Are their client education materials comprehensive and easy to understand? Are their service claims reliable or over the top?
A good CRA will never try to give you legal advice or take the place of your own legal counsel. Additionally, they will clearly spell out the following:
- Clearly communicate the substance of each consumer report provided, including the information source type (e.g., county and state records, former employers, academic institutions, etc.) and the limitations and variables affecting the availability and scope of said information.
- Process for informing the client of their responsibility to seek legal counsel while developing an employment screening program suitable to the needs of their organization and in compliance with the FCRA.
- Instructions on how to order, retrieve, and appropriately interpret the format and content of the CRA-provided consumer reports.
- Process for adequately informing client of their responsibility to appreciate the sensitive nature of consumer reports, protect them from exploitation, and appropriately dispose of them as outlined by the FCRA and DPPA.
Researcher and Data Standards & Capabilities
How does the CRA vet and oversee non-employee public record researchers? Do they apply the same standards of quality and compliance with contractors as they do inhouse?
When working with public record researchers, the CRA must do the following to achieve end-to-end quality assurance:
- Employ a signed agreement with researchers that clearly defines the scope of provided services, including:
- Jurisdictions covered,
- Search methodology,
- Depth of research,
- Disclosure of findings,
- Efficiency benchmarks for communication and completing search requests,
- Identity confirmation measures,
- Confidentially and reinvestigation requirements.
- Properly vet and certify that all researchers apply CRA’s standard of ethics and quality.
- Information security processes to safely transmit order and receive search results from researchers.
- Procedure for obtaining proof of researcher’s error and omissions insurance or ensuring coverage for uninsured or underinsured researchers.
- Process for auditing public record researchers for quality control.
Verifications Services Standards & Capabilities
Can the CRA promise accuracy in their reports? What methods do they use to keep that promise? What standards do they maintain for their verification services?
To qualify for PBSA accreditation, the CRA must complete their verification services with the following:
- Have and follow set procedures for achieving maximum possible accuracy in the work of obtaining, documenting, and reporting verification information.
- Method for procuring consumer authorization before contacting current employers.
- Method for reporting non-accredited post-secondary academic institutions to client.
- Procedure for clearly defining and charging for verification attempts.
- Method for ensuring integrity of verification databases and handling consumer disputes when said information is stored and maintained for resell purposes.
- Process for reporting the return of conflicting data to client if received within 120 days of delivering the initial consumer report.
Business Practices
How does the CRA do business? What are their hiring policies and personnel standards?
Finally, before you decide to do business with a CRA, ensure that their business practices include the following:
- Background checks for all CRA owners, officers, principals and workers.
- Designated individual who stays abreast of applicable and ever-changing laws and regulations.
- Minimum of $1 million coverage in errors and omissions insurance.
- Method to authenticate clients, vendors, and consumers prior to processing and supplying consumer reports.
- Written record retention and destruction policy.
- Policies in place to assure CRA worker confidentiality and compliance, including ethics training and reporting practices.
Shouldn’t the same due diligence you would apply to a job candidate apply to the organization vetting your candidates? PBSA accreditation reflects this stringent due diligence so that you can confidently do business with a CRA without putting your company at risk.