FCRA compliance for background checks: The Fair Credit Reporting Act explained

FCRA Notice: The data and information provided by Persona does not constitute a "consumer report" as such term is defined under the Fair Credit Reporting Act (as amended) (*FCRA", and Customer represents and warrants that it shall not use the Persona Services or any of the information provided by Persona in whole or in part as a factor in determining eligibility for credit, insurance, employment or another eligibility purpose that would qualify it as a consumer report under the FCRA.

In 2022, Barnes & Noble was hit with a $600,000 class action lawsuit over a background check disclosure form that didn’t comply with the Fair Credit Reporting Act (FCRA). The problem stemmed from a single footnote that said the form was “not legal advice,” which a judge ruled violated the FCRA’s rule that disclosures must be clear, standalone documents without extra language.

If you’re an employer running dozens or hundreds of background checks a month, the Barnes & Noble case is a clear reminder of how easily a minor oversight can turn into a costly legal issue. A single misplaced sentence, a missing form, or a skipped step in the process can spiral into a costly class action worth hundreds of thousands (or even millions) of dollars. 

This guide breaks down everything you need to know about FCRA compliance for background checks, with actionable tips to protect your team and candidates, and a look at how automation can help reduce the chance of costly errors.

What is the Fair Credit Reporting Act (FCRA)?

The Fair Credit Reporting Act is a federal law that regulates consumer reporting agencies (CRAs), including credit bureaus and background check providers, by requiring them to maintain accurate information and limiting how and when they can share consumer data. 

The FCRA also outlines how employers, landlords, and other decision-makers can use these reports and gives individuals specific rights to access, dispute, and correct their information. When it comes to background checks, the FCRA sets clear rules for disclosure, consent, and adverse action that organizations must follow to stay compliant.

The FCRA is designed to protect consumer data, and if you use that data for background checks, both the consumer reporting agency (like a credit bureau or background check provider) and the end user of the report share responsibility for compliance. If you’re using consumer reports to evaluate job candidates, employees, contractors, or tenants, you’re legally required to follow specific procedures under the FCRA to protect the rights of individuals. 

Failing to meet these obligations can result in legal action, and it’s not just employers who get sued. Credit bureaus and background check providers are frequently named in lawsuits over inaccurate information that costs someone a job or housing opportunity.

The most important FCRA requirements to know include:

• Providing clear disclosures

• Obtaining written consent

• Using only approved consumer reporting agencies

• Following proper notice procedures in the event of adverse actions

(We’ll dive deeper into the specifics of these FCRA requirements under “employer responsibilities.”)

If you're looking for the legal fine print, here is the most up-to-date version of the FCRA.

Who enforces the Fair Credit Reporting Act?

The Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB) enforce the FCRA. These agencies are responsible for monitoring compliance, investigating complaints, and taking action against violators. But it’s not just regulatory agencies like the CFPB or FTC you need to worry about. 

A company or CRA that’s considered the “end user” of the report shares responsibility to comply with FCRA standards. 

Individuals can also bring lawsuits directly against companies that fall out of FCRA compliance and fail to follow required procedures. A single candidate who believes their rights were violated during the background check process could pursue legal action, and those claims can quickly escalate. 

Even if you’re ultimately not found at fault, defending your company takes time, money, and legal resources. And if you lose, the FCRA’s fee-shifting provision may require you to pay the consumer’s legal fees in addition to your own.

Consumer reporting agencies’ (CRAs) responsibilities under FCRA

When most people hear “consumer reporting agency,” they think of credit bureaus like Equifax, Experian, and TransUnion. But under the FCRA, the definition is much broader.

Any organization that assembles or evaluates information about individuals to provide consumer reports for employment (or other) purposes for a fee qualifies as a CRA as specified in the FCRA. This includes many third-party background screening companies, and even smaller firms that specialize in employment verification or public record checks.

The CFPB publishes a helpful list of consumer reporting companies, with examples of CRAs used for employment background checks, tenant screening, credit checks by lenders, Social Security-related identity verification, and more. Keep in mind that this list is not exhaustive: Any organization that meets the FCRA’s definition of a consumer reporting agency may be subject to the law, whether or not it appears on the CFPB’s list.

Note: The CFPB’s list includes companies that self-identify as consumer reporting agencies or provide access to consumer data, but it’s not comprehensive or independently verified. 

Here are some examples of CRAs from the CFPB’s (not exhaustive) list:

• ADP and Screening Selection Services, Inc.: For background screening services

• Backgroundchecks.com: For general background screening services, and income and employment verification

• CCC Verify: For lenders, property managers, public assistance agencies, and others

• Checkr: For employment screeners and post-hire workforce monitoring services

• Experian Verify: For lenders, employment screeners, and social service agencies

• Pinwheel: For banks, lenders, and credit unions

CRAs have specific responsibilities under the FCRA, including:

• Ensuring the information in consumer reports is accurate and up to date

• Investigating disputes from individuals about the accuracy of their reports

• Providing all information in a consumer’s file when the consumer requests it

• Limiting report access to entities with a permissible purpose, such as employment

If the information in a background check is wrong, the legal issue is usually with the background check company (the CRA). If the process wasn’t followed correctly — like not giving proper notice or skipping consent — the legal issue is usually with the company that ordered the report (the user of the consumer report). 

Here are some examples of “users of consumer reports” under the FCRA:

• Lenders offering credit cards, loans, auto leases, BNPL, and similar financial products

• Employers and volunteer organizations conducting background checks and employee monitoring

• Government agencies verifying eligibility for public assistance

• Landlords and property managers screening tenants for rentals

• Banks, credit unions, and merchants verifying personal checks and EFT transactions

• Short-term and subprime lenders serving lower-income or high-risk consumers

• Debt buyers and collectors evaluating or pursuing collections

• Insurance companies screening applicants for health, auto, life, or property insurance

• Utilities and telecom providers assessing risk before providing services like gas, electricity, or mobile plans

• Retailers screening for return fraud or offering in-store financing

• Casinos and gaming businesses extending credit or accepting personal checks for betting

When choosing a background check vendor, you’re probably focused on turnaround time, integrations, and pricing. But one critical question often gets overlooked: Are they operating as a compliant consumer reporting agency under the FCRA?

When selecting a background check provider, make sure they meet the FCRA definition of a CRA and have processes in place to uphold these standards — more on this below.

Employer responsibilities under FCRA

If you’re an employer that uses background checks for hiring, contracting, or tenant screening, you’re considered a user of consumer reports under the FCRA. That means you’re responsible for following specific steps before, during, and after requesting a background check.

Let’s say you’re rushing to fill a role after someone quits unexpectedly. You find a qualified candidate, initiate a background check, and skip a few “small” steps to speed things up. That’s where trouble starts. Seemingly minor corner-cutting could result in a class action suit with thousands of claims: one for every person who received the wrong disclosure.

Failing to follow these steps (even something that seems as trivial as the wording in your disclosure form) can lead to serious consequences. It’s not enough to rely on your background check vendor. You’re the one liable if something goes wrong.

As an employer, your responsibilities under the FCRA include:

• Providing a clear, standalone disclosure before requesting the report

• Getting written authorization from the individual (specific to employment purposes)

• Using the report only for permissible purposes 

• Giving pre-adverse and adverse action notices if the report influences your decision

• Maintaining records and a process for handling disputes

The compliance requirements of the FCRA can get difficult to manage, but you don’t have to keep up with them manually. Persona helps streamline these administrative and operational steps — from collecting consent to managing adverse action workflows — so you can stay compliant without slowing down your background screening process.

How to check if a background check provider is FCRA compliant

There’s no foolproof way to prove that a CRA will stay FCRA compliant all the time. Sometimes, FCRA-compliant providers will clearly state that they are a CRA under the Fair Credit Reporting Act on their website or in their terms of service. If you’re not sure, here are a few ways to help you find a safe background check provider.

1. Check if they identify as a Consumer Reporting Agency (CRA)

FCRA-compliant providers will usually clearly state that they are a CRA under the Fair Credit Reporting Act on their website or in their terms of service.

Look for mentions of:

• “FCRA-compliant background screening”

• “Consumer Reporting Agency (CRA)”

• “Fair Credit Reporting Act compliance”

2. Review their accreditation (if available)

Check if they’re accredited by the Professional Background Screening Association (PBSA). This accreditation isn’t required by law, but PBSA accreditation is a strong signal of FCRA compliance and best practices.

You can search for accredited companies on the official PBSA website.

3. Ask about their FCRA process

Ask them directly:

• Do you provide standalone disclosure and authorization templates?

• How do you support adverse action procedures?

• Do you handle disputes and comply with the 30-day reinvestigation window?

A compliant provider should have answers to all of these and offer documentation or workflow support.

4. Review their sample reports and compliance resources

Look for clear instructions on pre-adverse and adverse action steps, candidate disclosures, and consent collection.

If they leave all FCRA compliance to the employer, that’s a red flag.

5. Consult legal counsel

If you’re unsure, ask your legal team to review the provider’s processes and documents. You’re still legally responsible for FCRA compliance even if the provider makes mistakes.

FCRA requirements for background checks

FCRA requirements are designed to protect individuals from misuse of their personal information during background checks. But not all background checks fall under the FCRA.

FCRA applies to background checks when they are conducted by a third-party company that qualifies as a CRA under the law. Accreditation by an organization like the Professional Background Screening Association (PBSA) is not required for a background check to fall under the FCRA. What matters is whether the provider assembles or evaluates information for employment or tenant screening purposes.

Non-accredited background checks, like informal internet searches, social media checks, or direct calls to references, generally do not trigger FCRA obligations because they are not handled by a third-party CRA. However, you should still follow fair, consistent, and non-discriminatory practices when using any information to make decisions.

If you're using a consumer report to screen full-time employees, contractors, or tenants, here are six areas you should focus on to stay compliant:

1. Have a permissible purpose: You must have a legally allowed reason to request the background check, such as employment or housing.

2. Provide disclosure: Provide a clear, standalone written notice that you may obtain a background check.

3. Get authorization: Get the individual’s written permission before initiating the check.

4. Establish an adverse action process: If you decide not to move forward based on the results, you must send a pre-adverse action notice, provide a copy of the report, and give the person time to respond before finalizing your decision.

5. Review your contract with CRAs: CRAs typically include certifications of FCRA compliance in their service agreements. Make sure those provisions exist in these contracts. 

6. Dispute information in a timely manner: If an individual challenges the accuracy of the report, the CRA must investigate and resolve the dispute within 30 days. If you’re an employer, you must pause any adverse hiring decision if a candidate disputes their background report and wait for the CRA’s investigation before finalizing action, while providing the required FCRA notices.

And most important of all, you have a legal obligation under the FCRA to use background check providers that are FCRA-compliant, meaning the provider qualifies as a CRA under the law and follows the rules. If you knowingly or negligently use a non-compliant provider or a provider that doesn’t meet CRA obligations, and something goes wrong (e.g., inaccurate data, skipped dispute process), you could be held liable along with the provider.

Each of these steps must be executed with care. Automating them can help reduce human error and ensure you're meeting your legal obligations consistently.

Adverse actions

One important FCRA requirement you should know as an employer is the adverse action process. Adverse action takes place when you, the employer or HR professional, decide not to move forward with a candidate or take any negative employment action based on the results of a background check.

This typically happens during the adjudication process, which is when your team reviews background check results to determine whether they meet your company’s hiring criteria. Adjudication involves assessing whether any information in the background check (such as criminal records or discrepancies) is relevant to the role and serious enough to influence your hiring decision.

If you’re considering rejecting, rescinding, demoting, or taking any adverse employment action because of what you found in the report, the FCRA requires that you complete the adverse action process.

There are three steps to the adverse action process:

1. Pre-adverse action notice

Notify the individual that you’re considering taking adverse action based on their background check. This notice must include:

• A copy of the background check report

• A copy of the "Summary of Rights Under the FCRA"

2. Waiting period

Give the individual a reasonable amount of time (good rule of thumb: seven business days) to review the report, dispute any inaccuracies, or provide context.

3. Final adverse action notice

If you still decide to take action after the waiting period, send a final notice stating that the decision was made, along with the name and contact info of the CRA used, and a statement that the CRA did not make the decision and cannot provide the reasons for it.

Skipping or mishandling this process is a common cause of FCRA lawsuits. It doesn’t matter whether the background check came from a well-known CRA or a smaller vendor. The responsibility to follow the adverse action steps falls on you, the employer.

Understanding and following the adverse action process helps you treat candidates fairly, reduces your risk exposure, and creates a transparent experience that protects both your organization and the people you screen. 

How the FCRA law protects consumers during background checks

Picture this: A background check report shows that your candidate has a criminal record from another state. It’s the only red flag in their file. After a closer look, you realize it’s someone else with the same name.

Situations like these are exactly why the FCRA law exists. The law gives individuals the right to know when a background check is being conducted, access the information being reported about them, and dispute any inaccuracies. These rights protect consumers from unfair decisions based on incorrect or outdated data.

In practice, here’s how the FCRA protects candidates, employees, and contractors:

• It limits who can access consumer reports and under what circumstances (like when evaluating someone for a job).

• It requires companies to tell individuals when they’re running a background check and to get permission first.

• It gives individuals the right to see the information in their report, dispute inaccuracies, and explain any discrepancies before a final decision is made.

By making these rights legally enforceable, the FCRA helps ensure fairness in the hiring process and holds both background check providers and employers accountable.

What are the consumers’ rights under the Fair Credit Reporting Act?

Employees, candidates, contractors, tenants — any individual subject to a background check — all have rights under the FCRA when it comes to how their background information is obtained, disclosed, and used in decisions. These protections are in place to ensure people aren’t unfairly judged based on outdated, incorrect, or undisclosed data.

Understanding these rights is about building trust with the people you screen. Here are the key FCRA rights individuals have during a background check:

1. The right to know when a background check is being requested

2. The right to authorize a background check in writing before it happens

3. The right to receive a copy of the report used to make a decision

4. The right to dispute inaccurate or incomplete information

5. The right to receive a summary of rights under the FCRA

6. The right to be notified if an adverse decision is made based on the report

Respecting these rights helps build trust and protects your brand from legal and reputational damage.

Fair Credit Reporting Act and background checks: examples of non-compliance

Background checks are a common part of the hiring process, but they're also one of the biggest sources of FCRA-related litigation. The $600,000 Barnes & Noble class action lawsuit isn’t an isolated incident; companies across industries have paid steep penalties for small FCRA compliance missteps.

Here are some examples of FCRA non-compliance tied to background checks:

• Failure to provide a standalone disclosure: Including waiver language or liability disclaimers in the disclosure, or combining the disclosure with other onboarding documents violates FCRA rules.

• Failure to provide pre-adverse action notice: Some companies skip this step entirely or don’t include a copy of the background check and summary of rights.

• Failure to follow the full adverse action process: Sending a denial email without giving an appropriate amount of time for the candidate to respond or correct inaccurate data is a common mistake.

Each of the following companies also settled FCRA class actions for similar alleged errors:

• Whole Foods: $800,000 settlement

• Home Depot: $1.8 million

• Publix Super Markets: $6.8 million

Facing a Fair Credit Reporting Act class action lawsuit is a slippery slope for companies because there is no cap on the recovery of statutory damages under the FCRA. For example, even though Whole Foods paid $800,000 to settle, it could have faced $2 million to $20 million in damages.

These lawsuits often stem from procedural slip-ups, not intentional wrongdoing. That’s why having the right processes and safeguards in place is so important.

Build identity verification workflows with Persona

Persona integrates with Yardstik, a third-party FCRA-compliant background check provider, to help you automate and streamline every step of your onboarding process.

After completing identity verification with Persona, you can quickly kick off a background check with Yardstik, collect required disclosures and authorizations, and manage the full adverse action process — all in one seamless workflow.

Whether you’re hiring full-time employees, onboarding contractors, or screening volunteers, Persona helps you with FCRA compliance without adding unnecessary friction. You get the benefit of automation, reduced manual work, and a consistent experience for every person you screen.

Contact us to see how Persona can simplify identity verification across your background check workflows.