Selecting a background check vendor is not only a procurement decision; it is a compliance decision with independent liability consequences. This article gives HR managers, compliance officers, and legal and procurement teams a structured framework for evaluating a vendor's FCRA compliance posture before signing a contract, with the CRA-side obligations, accreditation signals, contractual provisions, and red flags that determine whether a vendor's screening program will support or undermine the employer's own compliance.
Key Takeaways
- FCRA imposes independent obligations on consumer reporting agencies that are separate from and in addition to the obligations it imposes on employers. A vendor that fails its CRA-side obligations exposes the employer to liability that the employer cannot cure through its own process alone.
- The maximum possible accuracy standard under FCRA requires a CRA to maintain reasonable procedures for ensuring that the information in consumer reports is current, complete, and correctly attributed. A vendor that does not meet this standard produces reports that create employer liability regardless of how well the employer handles its own disclosure and adverse action process.
- PBSA accreditation is a signal of compliance infrastructure, not a guarantee of FCRA compliance. It should be treated as one due diligence input among several rather than as a substitute for direct evaluation of the vendor's compliance posture.
- SOC 2 Type II attestation addresses data security controls and is a separate framework from FCRA. A vendor with SOC 2 attestation has demonstrated security control effectiveness; it has not demonstrated FCRA compliance.
- The vendor contract should document which FCRA obligations attach to the CRA, which attach to the employer, and what happens procedurally when the vendor's report is the basis for an adverse action. Absent these provisions, the employer may bear liability for gaps in the vendor's process.
- Adverse action infrastructure is a vendor compliance signal. A vendor whose platform does not support the full two-step adverse action workflow, including pre-adverse notice delivery, waiting period tracking, and final notice generation, is not providing a FCRA-compliant service regardless of its marketing claims.
- The vendor due diligence process should be documented as part of the organization's FCRA compliance program. Documentation that the employer evaluated the vendor's compliance posture before contracting is relevant evidence if the vendor's conduct later produces a compliance dispute.
- Ongoing vendor compliance review should be a scheduled program activity, not a one-time event at contract signing. A vendor's compliance posture can change as its data sourcing, dispute handling, and operational processes evolve over the life of the relationship.
Why Choosing a Background Check Provider Is Itself a Compliance Decision
The FCRA Obligations That Attach to the Consumer Reporting Agency, Not Just to the Employer
FCRA distributes its obligations between two distinct parties: the employer, which FCRA defines as the user of the consumer report, and the consumer reporting agency, which FCRA defines as any entity that regularly assembles or evaluates consumer information for the purpose of furnishing consumer reports to third parties. The CRA's obligations under FCRA include maintaining reasonable procedures to assure maximum possible accuracy of consumer reports, establishing a reinvestigation process for disputed information, providing consumers with access to their own files, and maintaining permissible purpose verification procedures. These obligations exist independently of whatever the employer does. A CRA that fails them produces legally deficient consumer reports regardless of how carefully the employer handles disclosure, authorization, and adverse action on its end.
How a Non-Compliant Vendor Creates Employer Liability Independent of the Employer's Own FCRA Process
An employer that follows every FCRA step correctly but uses a vendor that does not meet FCRA's CRA-side accuracy or dispute obligations is still exposed to liability arising from the vendor's conduct. The consumer who is harmed by an inaccurate report, a report that includes a record that should have been suppressed, or a dispute that was not properly reinvestigated may have claims against both the CRA that produced the report and the employer that used it, depending on the specific facts and applicable law. The employer's correct adverse action process may not fully insulate it from liability for defects in the underlying report, depending on the nature of the claim and applicable law. When the vendor fails FCRA's accuracy standard, the report the employer receives is legally deficient before the employer's process begins.
The Distinction Between a Vendor's Product Quality and Its FCRA Compliance Posture
Product quality and FCRA compliance posture are related but distinct attributes of a background check vendor. Product quality addresses whether the vendor returns comprehensive, accurate, and timely results. FCRA compliance posture addresses whether the vendor's processes for compiling, delivering, and supporting those results meet the legal standards that apply to consumer reporting agencies. A vendor can have strong product quality and weak compliance posture, or vice versa. The vendor evaluation framework should treat these as two separate tracks of inquiry, each with its own questions, documentation requirements, and minimum standards.
What FCRA Requires of a Consumer Reporting Agency
The CRA Obligations Under FCRA That Govern How Consumer Reports Are Compiled, Maintained, and Delivered
Under Section 607 of FCRA, a CRA must maintain reasonable procedures designed to avoid violations of the Act, including limiting the furnishing of consumer reports to those with a permissible purpose. Under Section 613, a CRA that reports public record information for employment purposes that is likely to have an adverse effect on the consumer must either maintain strict procedures to ensure the information is complete and up to date, or notify the consumer that the information is being reported. A vendor whose standard report delivery does not include the required FCRA Summary of Rights with each employment-purpose report is not delivering a FCRA-compliant report.
The Maximum Possible Accuracy Standard and What It Requires of a CRA's Data Sourcing and Verification Processes
Section 607(b) of FCRA requires that a consumer reporting agency follow reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the report relates. In practice, this standard requires that a CRA maintain procedures for:

- Updating records when courts or agencies change or correct them
- Verifying identity before attributing a record to a consumer
- Suppressing records that should not be reported under applicable state or federal law
- Correcting known errors promptly before reports are delivered
A vendor that relies exclusively on stale database aggregates without primary source verification, or that has no mechanism for catching and correcting data errors before delivery, is not meeting this standard.
The Reinvestigation and Dispute Process Obligations That a CRA Must Satisfy When a Consumer Disputes a Report
Section 611 of FCRA requires the CRA to conduct a reasonable reinvestigation when a consumer disputes the completeness or accuracy of any item in a consumer file, completed within 30 days of receiving the dispute, with a possible 15-day extension. If the disputed information is found to be inaccurate, incomplete, or cannot be verified, the CRA must delete or correct it and notify any employer who received the report for employment purposes within the preceding two years. A vendor whose dispute infrastructure does not generate timely employer notifications creates a gap in the employer's ability to respond correctly when a report is corrected after an adverse action decision has been made.
Accreditation and Certification Signals: What They Indicate and What They Do Not
The table below summarizes the most common vendor compliance credentials, what each addresses, and what it does not address in the context of FCRA compliance.
| Credential | What It Covers | What It Does Not Cover |
| PBSA Accreditation | Compliance infrastructure, data practices, business practices, legal compliance orientation | Guarantee of FCRA accuracy or dispute compliance in specific cases |
| SOC 2 Type II Attestation | Security, availability, processing integrity, confidentiality, and privacy controls | FCRA accuracy standard, dispute handling, adverse action workflow compliance |
| HIPAA Compliance Attestation | Administrative, physical, and technical safeguards for protected health information | FCRA-specific obligations of any kind |
What Compliance Credentials Signal About a Vendor's Infrastructure
PBSA accreditation is one meaningful signal of compliance orientation, but it is not a FCRA compliance guarantee and should be treated as one data point among several. SOC 2 Type II attestation demonstrates that a vendor's security controls are held up under independent audit, not that its consumer reports meet the maximum possible accuracy standard or that its dispute process satisfies Section 611. HIPAA compliance attestation is relevant for vendors operating in healthcare hiring contexts, where the vendor may receive, process, or transmit protected health information. It is a data handling signal, not a FCRA compliance signal, and for healthcare employers it is a meaningful additional credential alongside, not instead of, direct FCRA compliance evaluation.
How to Read a Vendor's Compliance Credentials as a Due Diligence Input Rather Than a Compliance Guarantee
Credentials are starting points for vendor due diligence, not endpoints. A vendor that holds multiple independent attestations, covering security, data privacy, and healthcare-specific data handling, is demonstrating a broader compliance infrastructure than a vendor with none. A vendor that holds credentials but cannot answer direct questions about its accuracy verification procedures, dispute handling timelines, or adverse action workflow is not a defensible choice on compliance grounds regardless of its credential portfolio.
The Vendor Evaluation Framework: What to Verify Before You Sign
The FCRA-Specific Questions Every Employer Should Ask a Background Check Vendor Before Contracting
Before contracting with a background check vendor, the employer should ask a defined set of FCRA-specific questions that address CRA-side obligations:
- How does the vendor verify the identity of the subject before attributing a criminal record to that individual?
- What is the vendor's process for ensuring records are current and have not been expunged, sealed, or corrected since the data was collected?
- How does the vendor handle a situation where it discovers that a record it reported was inaccurate?
- What is the vendor's documented process for reinvestigating a consumer dispute, and what is its average reinvestigation completion time?
- Does the vendor notify employers when a previously delivered report is corrected following a dispute?
These are compliance threshold questions. A vendor that cannot answer them clearly has a compliance posture that warrants concern before any contract is signed.
The Contractual Provisions That Document Shared FCRA Compliance Accountability
The vendor contract should specify which FCRA obligations the vendor will satisfy as the consumer reporting agency, which remain with the employer, and what the vendor's obligations are when a consumer dispute relates to a report used in an employment decision. Specific provisions that should appear include the vendor's representation that it maintains maximum possible accuracy procedures, its obligation to notify the employer when a report is corrected following a dispute, its commitment to process disputes within FCRA timelines, and the employer's reciprocal obligation to follow the adverse action process. Absent these provisions, the employer has no documented basis for holding the vendor accountable when its process fails.
The Data Handling and Adverse Action Infrastructure Questions That Reveal Whether a Vendor's Workflow Supports Employer Compliance
The employer should confirm whether the vendor's platform generates and delivers the CFPB Summary of Rights automatically with each employment-purpose report, whether the platform supports the full pre-adverse action notice workflow including the waiting period and final notice, and whether the platform maintains a retrievable audit trail of each adverse action step. A vendor whose platform does not support the full adverse action workflow is not providing a FCRA-compliant service regardless of the accuracy of its reports.
Red Flags and Disqualifying Gaps in Vendor FCRA Compliance Posture
The Operational Red Flags That Indicate a Vendor's Consumer Report Process Does Not Meet FCRA Accuracy and Currency Standards
Several operational characteristics indicate that a vendor's process may not meet FCRA's maximum possible accuracy standard:
- Relying exclusively on database aggregates without primary source verification for criminal records
- Lacking a documented identity matching procedure before attributing records to a consumer
- Reporting records without checking for subsequent expungements, sealings, or corrections under applicable state law
Any of these, identified during due diligence, warrants either a direct remediation commitment from the vendor or disqualification from consideration.
The Contractual Red Flags That Shift FCRA Liability to the Employer
An indemnification clause requiring the employer to indemnify the vendor for claims arising from use of the reports, without a reciprocal indemnification for defects in the reports themselves, is an asymmetric liability allocation that warrants legal review. A limitation of liability clause capping the vendor's exposure at fees paid may leave the employer holding the majority of exposure in a class action. A provision that characterizes the vendor's reports as research tools rather than consumer reports warrants careful legal review, as such characterizations may affect how FCRA CRA-side obligations are allocated and whether the employer has a contractual basis for holding the vendor accountable under FCRA.
The Adverse Action and Dispute Process Gaps That Expose the Employer to Litigation
Three specific vendor-side gaps create employer exposure even when the employer's own process is correct:

- If the vendor does not notify the employer when a dispute results in a report correction, the employer cannot re-evaluate its decision or take corrective action.
- If the vendor's reinvestigation process exceeds FCRA's 30-day timeline, the consumer has a claim against the CRA that may also implicate the employer's use of the deficient report.
- If the vendor's platform does not maintain records sufficient to reconstruct the adverse action timeline, the employer's ability to defend itself is compromised regardless of how carefully it managed its own process.
Documenting the Vendor Selection Decision as a Compliance Record
Why the Vendor Due Diligence Process Should Be Documented
The vendor due diligence process is complete when the organization has a documented record of what it evaluated, what the vendor represented, what contractual commitments were obtained, and what compliance conditions were set as prerequisites. That documentation demonstrates reasonable care in vendor selection and creates a baseline against which the ongoing relationship can be measured.
What the Vendor Contract Should Contain
| Workflow Stage | Vendor Obligation | Employer Obligation |
| Report compilation | Maintain maximum possible accuracy procedures; update reports when errors are identified | Confirm permissible purpose before ordering |
| Report delivery | Include required FCRA disclosures with each employment-purpose report | Confirm receipt and retain for audit trail |
| Dispute handling | Process disputes within FCRA timelines; notify employer of corrections | Re-evaluate adverse action decisions based on corrected reports |
| Adverse action | Support full pre-adverse and adverse action workflow with auditable record | Follow two-step process before any adverse employment decision |
A contract that addresses all four stages creates a shared accountability framework that maps to the actual FCRA compliance obligations of both parties.
How to Structure an Ongoing Vendor Compliance Review
Vendor compliance posture can change over the life of a relationship. A practical ongoing review program includes an annual confirmation that the vendor's accreditation and certifications remain current, a periodic review of dispute resolution performance, a review of any regulatory actions involving the vendor since the last review, and a contract review cycle that updates FCRA compliance provisions as the regulatory environment evolves. The review program does not need to replicate the full initial due diligence process annually. It needs to detect material changes in the vendor's compliance posture before they affect the employer's screening program.
Conclusion
Vendor selection is a compliance event, and treating it as one requires a structured evaluation of the CRA-side FCRA obligations that the vendor must satisfy before any employer-side compliance process begins. A vendor whose compliance posture does not meet FCRA's standards for accuracy, dispute handling, and adverse action infrastructure creates employer liability that the employer's own correct process cannot cure. The employer that documents its vendor due diligence, secures the right contractual provisions, and maintains ongoing compliance review is the employer with the most defensible screening program.
Frequently Asked Questions
What FCRA requirements apply to background check companies?
Background check companies that qualify as consumer reporting agencies under FCRA must maintain reasonable procedures to assure maximum possible accuracy of consumer reports, process consumer disputes within defined timelines, limit report furnishing to permissible purposes, provide consumers with access to their files, and include required disclosures with employment-purpose reports. These obligations apply to the CRA independently of the employer's compliance process.
How do I know if a background check provider is FCRA compliant?
No external certification guarantees FCRA compliance. PBSA accreditation indicates a compliance-oriented infrastructure, and SOC 2 attestation addresses data security, not FCRA compliance. The most reliable evaluation combines direct questioning of the vendor about its accuracy verification procedures, dispute handling timelines, and adverse action workflow with contract review to confirm FCRA obligations are allocated by party.
What should I look for in a background check vendor contract?
The vendor contract should specify which FCRA obligations attach to the CRA and which attach to the employer, require the vendor to notify the employer when a report is corrected following a dispute, commit the vendor to FCRA dispute timelines, and document the platform's adverse action workflow capacity. Contracts that do not address FCRA obligations by party leave liability allocation undefined.
What is PBSA accreditation and does it matter for FCRA compliance?
PBSA accreditation is a voluntary credential from the Professional Background Screening Association that evaluates a screening company's operations against standards covering legal compliance, data practices, and business practices. It signals a compliance-oriented infrastructure and is a meaningful due diligence input. It is not a FCRA compliance guarantee and should be treated as one evaluation factor among several.
Can an employer be liable for a background check vendor's FCRA violations?
Yes. An employer that uses a consumer report produced by a non-compliant CRA may face claims arising from the report's defects, including inaccurate information or a deficient dispute process. The employer's own correct process may not fully resolve liability for defects in the underlying report, depending on the nature of the claim and applicable law.
What questions should I ask a background check company before hiring them?
Key questions include: How do you verify identity before attributing a criminal record to a consumer? What is your process for ensuring records are current and not expunged? How do you handle a discovered inaccuracy in a delivered report? What is your average dispute reinvestigation completion time? Do you notify employers when a previously delivered report is corrected? Does your platform support the full adverse action workflow?
Does a signed vendor contract protect an employer from FCRA liability?
A well-drafted vendor contract documents shared accountability and creates a basis for holding the vendor responsible for its CRA-side obligations. It does not transfer the employer's independent FCRA obligations to the vendor, and it does not protect the employer from claims arising from the employer's own process failures. The contract is a compliance architecture document, not a liability transfer mechanism.
How often should an employer review a background check vendor's compliance posture?
Ongoing vendor compliance review should occur at least annually, covering accreditation and certification currency, dispute resolution performance, any regulatory actions involving the vendor, and contract provisions that may need updating as the regulatory environment evolves. The initial due diligence should not be treated as permanent; vendor compliance posture can change materially over the life of a relationship.
Additional Resources
- Using Consumer Reports: What Employers Need to Know (FTC)
https://www.ftc.gov/business-guidance/resources/using-consumer-reports-what-employers-need-know - Fair Credit Reporting Act (Full Text) — FTC
https://www.ftc.gov/legal-library/browse/statutes/fair-credit-reporting-act - CFPB Consumer Reporting Resources
https://www.consumerfinance.gov/consumer-tools/credit-reports-and-scores/consumer-reporting-companies/ - Background Checks: What Employers Need to Know (FTC / EEOC Joint Guidance)
https://www.ftc.gov/tips-advice/business-center/guidance/background-checks-what-employers-need-know - California Consumer Privacy Act Employer Guidance (California AG)
https://www.oag.ca.gov/privacy/ccpa
Charm Paz, CHRP
Recruiter & Editor
Charm Paz is an HR professional at GCheck, specializing in background screening, fair hiring, and regulatory compliance. She holds from the Professional Background Screening Association (PBSA) and helps organizations navigate employment regulations with clarity and confidence.
With a background in Industrial and Organizational Psychology, she translates policy into practice to build ethical, compliant, human-centered hiring systems that strengthen decision-making over time.