Every employer in the United States that uses background checks in hiring needs to know two things about their FCRA process. First: when was the disclosure form last reviewed against current case law? Second: would the form survive a willful violation challenge today?
For most organisations, the honest answers are uncomfortable. The form was reviewed at some point in the past, by someone, in a context that is no longer current. Whether it would survive challenge today is unknown — because nobody has run that test recently.
This is not a unique organisational failure. The FCRA disclosure landscape is genuinely complex, the case law is dynamic, and most HR leaders have not been given the budget or mandate to maintain ongoing compliance review. The problem is that the consequences of getting it wrong have scaled into seven-figure territory and are continuing to do so in 2026.
This blog is the practical audit playbook. It walks through what to review, what to look for, what to fix, and how to maintain compliance as case law continues to develop.
The Audit Scope: What to Review
A complete FCRA process audit covers more than the disclosure form itself. It covers the full workflow from candidate application through final adverse action.
The disclosure form. The document presented to candidates before a background check is run. This is the central artefact and the most common source of violations.
The authorisation mechanism. How candidates indicate consent to the background check — whether through a separate authorisation document or a combined disclosure-and-authorisation, and whether the authorisation captures legally required elements.
The investigative consumer report disclosure. A separate, rarely-discussed disclosure required when the employer obtains a consumer report that includes information from interviews with neighbours, friends, or associates. Most employers either don’t use these reports or aren’t aware that a separate disclosure is required.
State-specific disclosures. California, New York, Minnesota, Washington, and several other states have additional disclosure requirements that must be handled correctly alongside the federal FCRA process.
The pre-adverse action procedure. When a background check returns information that may lead to an adverse hiring decision, FCRA requires a pre-adverse action notice with a copy of the report and a summary of consumer rights, plus a reasonable period for the candidate to respond before the decision is finalised.
The adverse action notice. The final notice provided when adverse action is taken, with the required content under the FCRA.
The vendor agreements. Contracts with consumer reporting agencies should address allocation of compliance responsibilities, indemnification, and the vendor’s own FCRA obligations.
Each of these is a potential source of violation. A thorough audit covers all of them.
The Disclosure Form: What to Look For
The single highest-leverage component of the audit is the disclosure form itself. The questions to ask:
Is the disclosure in a document that consists solely of the disclosure? This is the central question. The document should contain the FCRA disclosure language and, if combined, the candidate authorisation. It should contain nothing else.
Common content that should not appear:
- State law disclosure language. State-specific disclosures should be separate documents.
- Liability waivers or releases. These are not the disclosure and create exposure.
- Legal advice disclaimers (“this is not legal advice”, etc.).
- References to other corporate policies.
- Equal employment opportunity statements.
- Confidentiality language.
- Statements about how the report will be used in employment decisions beyond what the FCRA strictly requires.
- Information about consumer reporting agencies’ processes beyond what the FCRA requires.
- Translation availability statements.
- Cross-references to other disclosure or authorisation forms.
- Footnotes of any kind.
How is the form delivered? If the disclosure appears in an online application context, it must be presented as a clearly distinct document — not as one screen among many in the application flow. The trend in case law is increasingly strict on this point.
Is the form clear and conspicuous? Beyond the stand-alone requirement, the disclosure must be clear and conspicuous. Tiny font, dense formatting, hidden placement, and similar issues create separate compliance issues even if the content is correct.
Is the form current? Forms that have been in use for years, particularly forms predating the Gilberg, Walker, and Hebert decisions, are very likely non-compliant under current standards regardless of how compliant they appeared at the time of drafting.
State-Specific Overlays: Particularly California
California deserves specific attention because of the volume of FCRA litigation that originates there and the additional state-level requirements that apply.
The Investigative Consumer Reporting Agencies Act (ICRAA). California’s ICRAA imposes additional disclosure and notification requirements that operate alongside the FCRA. The state-specific disclosure must be in its own document, separate from the federal FCRA disclosure.
Specific California content requirements. The California disclosure must inform candidates of the specific source of the report, the candidates’ rights to receive a free copy, and other California-specific elements. These elements should not be combined with the federal disclosure.
The CRA selection. California has additional requirements regarding which consumer reporting agencies may be used and what their internal processes must include.
Sequence of disclosures. When California-specific and federal disclosures are both required, the sequencing and presentation must be handled to ensure each is genuinely stand-alone and that candidates are not confused about what they are being asked to consent to.
For multi-state employers, California is the most complex jurisdiction but not the only one. New York, Minnesota, Massachusetts, and Washington all have specific requirements. The compliance approach that works at scale is to have a federal FCRA disclosure document, a separate authorisation document, and separate state-specific disclosure documents for each state where the employer hires — rather than attempting to consolidate.
The Pre-Adverse Action Procedure
The pre-adverse action procedure is the second most common source of FCRA violations after the disclosure form itself.
When a background check returns information that the employer is considering using as the basis for an adverse hiring decision, the FCRA requires:
Pre-adverse action notice. Before the decision is finalised, the candidate must be provided with notice that the employer is considering taking adverse action based on information in the consumer report.
A copy of the report. The candidate must receive a copy of the consumer report itself, so they can review what is being considered.
A summary of consumer rights. The candidate must receive a copy of the FCRA “Summary of Your Rights Under the Fair Credit Reporting Act,” which is available on the CFPB website.
A reasonable period to respond. The candidate must be given a reasonable period — generally interpreted as at least five business days — to review the information and respond before the final decision is made.
The procedure is procedural but the failure modes are common. Employers sometimes:
- Issue the pre-adverse action and final adverse action simultaneously, denying any genuine response opportunity
- Fail to include a copy of the actual consumer report
- Fail to include the FCRA Summary of Rights
- Provide an unreasonably short response period
- Take adverse action before the response period expires
- Fail to consider responses from candidates who do submit information
Each of these is a potential violation. Class actions have been built around each.
The Online Application Integration Problem
A growing source of FCRA disclosure failures is how disclosures are presented in online application systems.
The FCRA’s stand-alone requirement was drafted in an era of paper forms, where “a document that consists solely of the disclosure” had a clear physical meaning. In an online context, the analogue is less clear. Courts have been working through this.
The emerging consensus is that for an online disclosure to be stand-alone:
- It should appear on its own screen, not embedded in or alongside other application content
- The candidate should be required to take a specific action (clicking through, signing, etc.) that is distinct from the application submission action
- The disclosure should not be presented as a continuation of an application form
- Required elements (the disclosure language, authorisation if combined) should appear without intermingling with other content
- The candidate should be able to print or save a copy of the stand-alone disclosure
Many employers’ online application systems integrate the disclosure into the broader application flow in ways that do not satisfy these requirements. The disclosure appears as a section of a longer form, alongside other consents, branding elements, and application questions. This integration is itself a potential FCRA violation independent of the substantive content of the disclosure.
For employers using third-party application platforms or ATS providers, the disclosure presentation is often determined by the platform’s design rather than the employer’s choice. Reviewing the actual candidate experience — what the candidate sees and is asked to do — is essential to confirming compliance.
Vendor Agreement Review
Most employers running background checks use third-party consumer reporting agencies. The vendor relationship has FCRA implications that are often inadequately addressed in the vendor contract.
Allocation of compliance responsibilities. The contract should clearly identify which party is responsible for which compliance steps. The vendor handles its own CRA obligations under the FCRA. The employer handles disclosure, authorisation, and adverse action procedures. Joint obligations (such as data accuracy) should be addressed.
Indemnification. Where the vendor’s processes contribute to a compliance failure (e.g., the vendor fails to provide timely notice of negative public record information, as in the PeopleFacts case), the employer should have indemnification rights. Many existing contracts are silent or weak on this point.
Audit rights. The employer should have the right to audit the vendor’s compliance with relevant FCRA obligations, particularly maximum-possible-accuracy procedures and notification timing.
Documentation. The vendor should provide compliance documentation that the employer can rely on if challenged — including their own conformity with FCRA requirements.
Ongoing maintenance. As FCRA case law develops, the vendor should commit to updating their forms, processes, and notifications to maintain compliance, with notification to the employer of any material changes.
For employers whose vendor contracts have not been reviewed in several years, the vendor compliance dimension is often a substantial source of unaddressed exposure.
Building Ongoing Compliance Maintenance
The FCRA compliance picture is not static. Case law continues to develop. State laws continue to change. The class action plaintiff bar continues to identify new theories of liability.
Maintaining compliance over time requires ongoing investment, not one-time audit. The components that matter:
Annual form review. Every twelve months, FCRA disclosure and adverse action forms should be reviewed by counsel against current case law. The review should be documented.
Case law tracking. Major FCRA cases — particularly Ninth Circuit decisions but also notable cases from other circuits — should be tracked and assessed for applicability to the organisation’s processes.
State law tracking. State-specific FCRA requirements change. California in particular has been actively legislating in this space. A jurisdictional tracker that identifies changes in each relevant state should be maintained.
Vendor compliance verification. Periodic confirmation that consumer reporting agency vendors continue to meet their compliance obligations and that any compliance issues affecting their operation are flagged to the employer.
Process testing. Periodic testing of the actual candidate experience — completing an application as a candidate would, reviewing what disclosures appear in what form, confirming that the experience matches the documented process.
Documentation maintenance. Records of the audit, the case law review, the state law tracking, and the vendor verification should be maintained as evidence of the compliance programme. This documentation is a meaningful defence if a claim is ever brought — the willfulness analysis turns substantially on whether the employer was operating with reckless disregard or with documented good-faith compliance effort.
The investment in ongoing maintenance is meaningful but proportionate to the exposure. Annual legal review of disclosure forms costs a small fraction of a single FCRA class action settlement. The math of this trade-off is not subtle.
A Final Word on Posture
The FCRA disclosure compliance picture invites a particular organisational posture: take it seriously, build the programme, maintain it, and stop assuming that good faith is a substitute for documented compliance. The plaintiff bar has industrialised this area. The settlements continue. The case law evolves.
Organisations that treat FCRA compliance as a procedural footnote — a form somebody designed once and that nobody has looked at since — are operating with exposure that they could close at modest cost. The decision not to close it is, in compliance terms, a decision to continue carrying the risk. In 2026, that risk has a clear and uncomfortable price tag.
AMS Inform provides background verification and workforce screening services across 160+ countries. For organisations reviewing their FCRA compliance frameworks, speak to our team at AMSinform.com
