Summary of Federal Laws

Employment                                                                          

Compliance Partners

Director of Academic Technology Services

AVP for Human Resources

Related Policy

Identity Theft Prevention

Equal Employment Opportunity

Fair Credit Reporting Act (FCRA) (amended by the Consumer Credit Reporting Reform Act of 1996 and the Fair and Accurate Credit  Transactions Act of 2003)

15 U.S.C. § 1681 et seq.; 16 C.F.R. Part 600 and 16 C.F.R. Part 601; 16 CFR 681 (Identity Theft Rules)

For convenience, but not a substitute for the US Code  see Full text of FCRA as posted by FTC January 8, 2009

The Fair Credit Reporting Act, which is a subchapter of the Consumer Credit Protection Act (15 U.S.C. § 1601 et seq.) requires employers to advise applicants if employment was denied based on a credit report.

Requirements for Employers Who Use Credit Reports in Hiring:  The Consumer Credit Reporting Reform Act of 1996 imposes several obligations on employers who use credit reports when evaluating applicants or employees for employment, promotion, reassignment, or retention.  Employers, before obtaining a consumer report (and this includes criminal background checks) must disclose in writing to the applicant or employee that it may obtain a consumer report for employment purposes, and secondly, secure the written consent of the applicant or employee.  Note that when using a third party consumer reporting agency to request motor vehicle record checks for employment purposes, the FCRA should be followed, and notice given to the applicant or employee. See the Baylor Disclosure of Intent to Procure Consumer Reports and accompanying Release form for an example.

The employer must also certify to the consumer reporting agency that it will comply with the Act’s disclosure requirements and that any information obtained will not be used in violation of any applicable federal or state equal employment opportunity law or regulation.  A consumer report that bears on an individual’s character, or mode of living and is obtained through personal interviews is known as an "investigative consumer report."  The use of this type of report triggers additional disclosure requirements.  Within three days of requesting such a report, the employer must mail or otherwise deliver written notice to the applicant or employee of said action.  The employer must also advise the applicant or employee of his/her rights under the law, which includes disclosure by the employer of the nature and scope of the investigation.  This advice must be sent no later than five days after the request was received, or the report was first requested, whichever is later.

What to do if the employer obtains a negative background check

If an employer wishes to take any adverse action (not hiring, not promoting, firing) based upon the results from a third party reporting agency, prior to taking action, the employer must supply (send or give) the employee or applicant a copy of the background report, and a description of his/her rights under the FCRA. (see below under resources for handout) The employee/applicant must be given an opportunity to contest the documents. The FTC has approved a five business day waiting period. After any adverse action is taken, the employer must give the applicant/employee the following information:

 *notice of adverse action taken

 *name, address, and phone number of consumer reporting agency that provided report  
 

 *statement that the reporting agency did not make the adverse decision, and cannot give the

   consumer a reason for the decision

 *notice of consumer's rights to obtain a free copy of report within 60 days

 *notice of consumer's right to dispute accuracy or completeness of report

(See Checking New Hires at the Door, NACUA June 2005 outline by Karen Treber, pps 3-4)

Requirements for Furnishers of Information Under FCRA Amendments:  Any entity who reports information about consumers to a credit reporting agency must meet more stringent reporting conditions which attempt to guarantee accuracy.  This law applies to universities that furnish student loan repayment information to credit bureaus.  The law prohibits reporting information that the university knows or consciously avoids knowing is inaccurate, and requires correcting and updating of inaccurate or incomplete information.  Disputes must be reported, and new rules apply to the dating of first delinquencies.  By providing the consumer with an address to report information that they believe is inaccurate, the furnisher is relieved of some of the liability associated with the reporting of inaccurate information.  Upon notice of dispute, the information furnisher must conduct an investigation and report the results to the consumer reporting agency.  See 15 U.S.C. § 1681i.

HR 2622 Public Law 108-159, Dec. 2, 2003

This law, which amends the Fair Credit Reporting Act, is designed to prevent identify theft and allow consumers greater access to their credit reports. Of interest to universities is an amendment contained in section 611 of the act that excludes certain employee investigation communications from the definition of a consumer report. A staff opinion letter from the FTC had created a great deal of confusion in this area of the law. It is now clear that employers investigating suspected misconduct relating to employment or compliance with federal or local law or employer policies do not have to notify the employee in advance by giving notice to the employee that a credit report has been requested (and obtaining the employee's consent for same). However, if an adverse employment action is taken which is based in whole or in part upon the consumer report,  the employee must be provided with a summary of the report.

Latest on Red Flag Rule: FTC Extends Enforcement Deadline for Identity Theft Red Flags Rule

The latest notice imposes a June 1, 2010 deadline and also references a court case holding that the FTC may not apply this rule to attorneys. See also the Frequently asked Questions on the Red Flag Rule.
 

Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003; Final Rule, 72 Fed. Reg. 63717, Nov. 9, 2007

The joint final rules and guidelines are effective January 1, 2008.  FTC enforcement will be suspended on the red flag rule (but not the address discrepancy rule for users of consumer reports or the rule regarding change of address applicable to card users) until June 1, 2010. See the FTC 7/29/09 Press Release on the delay, as well as a Red Flag Planning Template provided by the FTC.  

There are three key compliance requirements here:

• Schools that use consumer reports subject to the FCRA (see above) must develop and implement reasonable policies and procedures to ensure authentication of identity for the person who is the subject of the report if the user receives a notice of an address discrepancy. The user (here the university) must also then furnish the accurate address of the consumer back to the reporting agency that sent notice of address discrepancy, if certain conditions exist. (see 16 CFR 681.1)
• If the school meets the definition of a creditor under the FCRA (any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal or continuation of credit (see 15 USC 1691a) then the school has several obligations under the final rules, which include periodically determining if it maintains covered accounts, and if it does, then developing and maintaining an identity theft program for those accounts, which has been approved by the Board of Directors or an appropriate committee, among other items. (See 16 CFR 681.2)
• If the institution issues debit or credit cards then the reasonable policies must be in place to assess the validity of a change of address. (See 16 CFR 681.3) If the institution issues campus cards that can be used as debit cards to make electronic fund transfers from a transaction account to off campus merchants, then the institution is subject to this reg.
  

See a memo titled Identity Theft Red Flags and Address Discrepancies under the FCRA, by Nina Lavoie posted on NACUA's web page on September 15th, 2008.   In addition, see the Hogan and Hartson  Sept. 23, 2008 memo on this topic on the NACUBO website. See also the Sept. 2, 2008 Wilmer Hale email alert titled FACT ACT Red Flag Rules.  See also the Educause Connect web page on the Red Flag Rule.  See also Willkie Farr and Gallagher LLP Client Memorandum "Red Flag" Identity Theft Rules May Have you Seeing Red: FTC Extends Compliance Deadline Because Many Companies Did not Know that These Rules Apply to Them. This last memo addresses scope of coverage of the red flag rule.

See the October 14, 2008 Department of Education letter opining that schools that participate in the Federal Perkins Loan program are covered by the rule,  since the school is loaning the money and collecting on the debt.

If you missed the webcast done by Educause on October 22, 2008 on this topic, click on the EDUCAUSE web page for an archived copy of the video and audio.

69 Fed. Reg. 68689, Nov. 24, 2004, Disposal of Consumer Report Information and Records; Final Rule, Effective June 1, 2005. This FTC rule implementing the FACT Act requires any employer using a credit report from one of the big three credit reporting agencies for a "business purpose" to properly dispose of such information by taking reasonable measures to protect against unauthorized access. Some of the examples given in the rule are as follows:

    (1) Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of papers containing consumer information so that the information cannot practicably be read or reconstructed.
    (2) Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media containing consumer information so that the information cannot practicably be read or reconstructed.
    (3) After due diligence, entering into and monitoring compliance with a contract with another party engaged in the business of record destruction to dispose of material, specifically identified as consumer information, in a manner consistent with this rule. In this context, due diligence could include reviewing an independent audit of the disposal company's operations and/or its compliance with this rule, obtaining information about the disposal company from several references or other reliable sources, requiring that the disposal company be certified by a recognized trade association or similar third party, reviewing and evaluating the disposal company's information security policies or procedures, or taking other appropriate measures to determine the competency and integrity of the potential disposal company.

69 Fed. Reg. 69775 (Nov. 30, 2004) Summaries of Rights and Notices of Duties Under the Fair Credit Reporting Act; Final Rule

Effective Date: January 31, 2005.

   The Commission is issuing in final form four documents that describe rights and duties under the Fair Credit Reporting Act (FCRA), 15 U.S.C. 1681 et seq. The Commission is issuing these documents because of changes to the FCRA made by the Fair and Accurate Credit Transactions Act of 2003 (FACT Act or Act), Public Law 108-159, 117 Stat. 1952, which was signed into law on December 4, 2003.
    The FACT Act amendments directed the Commission to issue, for the first time, a summary of the rights of identity theft victims. The changes made to the FCRA by the FACT Act also rendered obsolete three documents that the Commission issued in 1997: A general summary of the rights of consumers under the FCRA; a notice of the duties under the FCRA of persons that furnish information to consumer reporting agencies; and a notice of the duties under the FCRA of persons that use information obtained from consumer reporting agencies. 62 FR 35586 (1997). See the revised Summary of Rights which must be given to those on whom an investigative report is being requested, (at time of initial documentation given to applicant or employee) or if simply a consumer report, the Summary of Rights must be given to the applicant or employee prior to taking any adverse employment action. See also the Seyfarth Shaw One Minute Memo dated Dec. 22, 2004 which advises when employers must distribute the Summary of Rights notice to employees or applicants.

Effective Dates for the FACT ACT:  69 Fed. Reg. 6526, Feb. 11, 2004

Joint Final Rules of the Board of Governors of the Federal Reserve System (Board) and the Federal Trade Commission (FTC)

These rules establish a schedule of effective dates for many of the provisions of the FACT Act for which no effective date was provided by Congress.  December 31, 2003 is established as the effective date for provisions of the Act that determines the relationship between the Fair Credit Reporting Act (FCRA) and state laws. The FACT ACT eliminated the so-called sunset provision and made permanent the current provisions preempting State laws in seven areas regulated under the FCRA. This may impact state laws on identity theft and use of social security numbers. The effective date for Section 611 (communications for certain employee investitgations)  is March 31, 2004.

Resources

Angell Palmer and Dodge Advisory On Red Flags Rule  (November 2009)

Includes summary of Massachusetts Security Regulation

Washington and Lee University Identity Theft Program

Fighting Fraud with the Red Flags Rule: An FTC Guide

Educause ID Theft Reg Flags Page: Includes Sample Institutional Policies

Red Flag Regulations Require Financial Institutions and Creditors to Have Identity Theft Prevention Programs (FTC website)

What Employers Need to Know about the Fair Credit Reporting Act and its Updated Regulations by Paula Zimmerman, of Wolf Block, dated 2/7/05.

See the June 9, 1998 FTC opinion letter in which the agency states that the term "consumer report" is defined broadly to include criminal background checks and any information that touches upon an individual's character, general reputation, personal characteristics or mode of living.

NACUA Resource Page on Background Checks (password protected)