How to Comply with FCRA — 6 Steps

The Fair Credit Reporting Act, or FCRA, is a piece of legislation passed by Congress in 1970 to promote fairness, accuracy and privacy for information that consumer reporting agencies use for different purposes. One of the most common functions falling under FCRA is organizations’ use of background checks for the purpose of employment.

Organizations normally send requests to credit reporting agencies when individuals apply for employment, both to obtain a background check and a consumer credit report. What this means is exposure to information of a personal nature at both the organizational and credit-reporting agency level. FCRA aims to help protect the information of these individuals, and this article will detail how organizations can comply with FCRA during this commonly-occurring hiring practice.

Please note: this article should serve as a brief overview of FCRA compliance and in no way is a substitute for legal advice.

Permissible Purpose

To meet compliance with FCRA, organizations must establish a permissible purpose for the use of said personal information. Under FCRA, this information must be used for ordering background checks for the purposes of employment. FCRA uses a broad definition for “employment,” which includes hiring, promotion, transfers, retention, and contracting or volunteering.

One real-world example of this employment, aside from the obvious new hire scenario, is when an organization appoints an executive or professional to a role. A background check may be a routine part of this promotion, just as a cautionary practice.


FCRA mandates that the individual be provided a written notice disclosing that a background check may be required as a condition to their hiring. Operationally speaking, organizations normally provide the individual this disclosure when they arrive for a face-to-face interview. This disclosure can only be combined with an authorization, which will be examined below.    


As a preliminary matter, (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Greg Belding. Read the original post at: