What Is FCRA? A Small Business Employer's Guide
FCRA stands for Fair Credit Reporting Act. Plain-English guide for SMBs running background checks. 5 employer duties, adverse action process, and penalties
What Is FCRA?
The Fair Credit Reporting Act explained for small business employers running background checks
The first time I ran a background check on a candidate, I had no idea there was a federal law governing the process. I used a third-party service, got the results, decided not to hire based on what the report showed, and sent the candidate a rejection email. I violated FCRA in at least three ways: I did not provide a standalone written disclosure before the check, I did not give the candidate a copy of the report before rejecting them, and I did not follow the adverse action process. Any one of those violations could have cost me $100 to $1,000 in statutory damages per violation, plus attorney fees.
FCRA is not a law most small business owners think about until they run their first background check. But if you use any third-party service to screen candidates, FCRA applies to you regardless of how many employees you have. This guide explains what FCRA is, what it requires from employers, and how to comply without needing an employment lawyer.
What Does FCRA Stand For?
FCRA stands for the Fair Credit Reporting Act. It is a federal law enacted in 1970 (Public Law 91-508, codified at 15 U.S.C. sections 1681 through 1681x) that regulates how consumer reporting agencies collect, distribute, and use consumer information, including background check reports used by employers.
In an HR context, FCRA governs the relationship between three parties: the employer (who requests the report), the consumer reporting agency or CRA (who provides the report), and the candidate or employee (whose information is in the report). The FTC provides specific guidance on employer obligations when using consumer reports. The law gives candidates specific rights (access to their report, the right to dispute inaccuracies, the right to know when a report is used against them) and imposes specific duties on employers (disclosure, authorization, adverse action process).
What Is the Fair Credit Reporting Act?
Most people associate FCRA with credit reports and debt collection. That is half the law. The other half, Section 604(b), governs employment-purpose consumer reports: criminal background checks, employment verification, education verification, motor vehicle records, and credit checks used for hiring decisions. This is the half that applies to every employer who uses a CRA to screen candidates.
The FTC and the Consumer Financial Protection Bureau (CFPB) enforce FCRA. Employers who violate FCRA face both individual lawsuits (private right of action) and regulatory enforcement. The EEOC also provides joint guidance on using background checks in compliance with both FCRA and anti-discrimination laws.
Does FCRA Apply to My Small Business?
Yes. If you use any third-party service (a consumer reporting agency) to obtain information about a candidate or employee for employment purposes, FCRA applies to you. There is no minimum employee count. There is no revenue threshold. There is no exemption for small businesses, startups, or nonprofits.
FCRA does not apply if you conduct your own investigation without using a CRA. If you personally google a candidate, check their LinkedIn, call their references, or run a court records search yourself (not through a service), FCRA does not apply to those activities. However, the moment you pay a service (Checkr, GoodHire, Sterling, HireRight, or any background check provider) to compile a report, FCRA kicks in.
What Counts as a Consumer Report Under FCRA?
| Covered by FCRA (if from a CRA) | NOT Covered by FCRA |
|---|---|
| Criminal background check via a background check provider | Googling the candidate's name yourself |
| Employment verification through a third-party service | Calling the candidate's former employer directly |
| Education verification through a verification service | Checking the candidate's LinkedIn profile |
| Credit report used for employment purposes | Checking public court records yourself (without a CRA) |
| Motor vehicle records obtained through a CRA | Asking the candidate about their criminal history in an interview (subject to state ban-the-box laws) |
| Drug test results when reported through a CRA | Internal reference checks you conduct personally |
The key distinction: FCRA applies when information is obtained from a consumer reporting agency (any entity that regularly assembles or evaluates consumer information for third parties). If you do the research yourself, directly, without an intermediary, FCRA does not apply. But practically, most small businesses use a CRA because doing background checks yourself is time-consuming and legally complex. The hiring and onboarding process guide covers the full process including when to use a provider versus doing it yourself.
The 5 Employer Duties Under FCRA
FCRA imposes five specific duties on employers who use consumer reports for employment purposes. Violating any one of them creates liability.
The most commonly violated duty is number 1: the standalone disclosure. The most commonly skipped duties are numbers 3 through 5: the adverse action sequence. Small businesses that run background checks but skip the adverse action process when they find negative results are violating FCRA every single time. The compliance onboarding guide covers how to integrate these steps into your hiring workflow.
The Standalone Disclosure Trap
The single most expensive FCRA violation for employers: combining the background check disclosure with other documents. Section 1681b(b)(2)(A) requires that the disclosure be "in a document that consists solely of the disclosure." Courts have interpreted this strictly.
In practice, this means the disclosure cannot be part of the job application, cannot include a liability waiver, cannot include an at-will employment statement, and cannot include any language beyond the disclosure itself and the authorization. Even a single extraneous sentence can void the disclosure and create class-action liability.
The fix is simple: use a one-page form with two elements only. First, a clear statement that you may obtain a consumer report for employment purposes. Second, the candidate's signature authorizing the report. Nothing else on the page. E-signature tools make this easy: create the standalone form as a separate document in your e-signature workflow, and the candidate signs it digitally before you order the report. The new hire paperwork guide covers how to sequence this form within the broader document collection process.
The Adverse Action Process
If a background check reveals information that makes you consider not hiring the candidate, you cannot simply reject them. FCRA requires a three-step process with a mandatory waiting period.
This process exists to protect candidates from being rejected based on inaccurate information. The 5-day waiting period gives them the chance to dispute errors with the CRA before a final decision is made. Skipping or compressing this process is one of the most common FCRA violations and one of the easiest to prove in court: the employer either sent the notices or did not. There is no gray area.
What It Costs When You Get It Wrong
FCRA provides a private right of action, meaning individual candidates can sue employers directly. It also allows class actions, which is where the truly large settlements occur.
| Violation Type | Penalty | Details |
|---|---|---|
| Negligent violation | $100-$1,000 per consumer + actual damages + attorney fees | Did not follow the rules but not intentionally. Most common for SMBs who simply did not know the requirements. |
| Willful violation | $100-$1,000 per consumer + punitive damages (unlimited) + attorney fees | Knew the rules and disregarded them, or should have known. Punitive damages have no statutory cap. |
| Class action (standalone disclosure violation) | $millions | Typical class: every candidate who signed a non-standalone form. Recent settlements range from $296K (small marketing firm) to $5.75M (staffing company). |
| FTC/CFPB enforcement | Civil penalties + injunctive relief | Regulatory action is rarer for SMBs but possible. CFPB has increased enforcement since 2021. |
State Laws That Stack on Top of FCRA
FCRA is the federal floor. Many states add requirements that go beyond federal law. You must comply with both FCRA and any applicable state or local law.
| State / City | Additional Requirement | Impact on Employers |
|---|---|---|
| California (ICRAA) | 7-year lookback limit on criminal records. Must provide specific CA disclosure language. | Cannot consider convictions older than 7 years. Must use California-specific disclosure form. |
| New York (Article 23-A) | Must provide candidate a copy of Article 23-A rights. Fair Chance Act (NYC) delays criminal check until conditional offer. | Additional document in pre-hire package. Cannot run criminal check until after conditional offer in NYC. |
| Massachusetts | Prohibits credit checks for most positions. Criminal record reform limits what can be considered. | Cannot use credit reports unless the role has a specific financial responsibility exception. |
| Illinois | Must comply with Employee Credit Privacy Act (limits credit checks). Chicago Ban-the-Box delays criminal inquiry. | Credit checks restricted to specific roles. Criminal history cannot be asked on initial application in Chicago. |
| Ban-the-Box jurisdictions | 37+ states/cities delay criminal history inquiry until after initial screening or conditional offer. | Must structure your process so the background check runs after the conditional offer, not before. |
The practical implication for small businesses: check your state and city requirements before running any background check. The SHRM maintains a comprehensive FCRA compliance checklist that includes state-by-state variations. The compliance hub provides detailed state-by-state HR compliance guides.
FCRA vs. EEOC: Two Laws, One Background Check
FCRA and EEOC anti-discrimination laws apply simultaneously to the same background check. FCRA governs the process (disclosure, authorization, adverse action notices). EEOC governs the substance (whether your use of the information discriminates against protected classes).
| FCRA | EEOC | |
|---|---|---|
| What it regulates | The process of obtaining and using consumer reports | Whether the hiring decision discriminates based on protected characteristics |
| Key requirement | Standalone disclosure, written consent, adverse action process | Individualized assessment considering nature of offense, time elapsed, and job relatedness |
| Enforced by | FTC, CFPB, private lawsuits | EEOC, private lawsuits |
| Applies at | All employers using a CRA (no size threshold) | 15+ employees (Title VII), 20+ (ADEA), 15+ (ADA) |
| Common violation | Non-standalone disclosure form | Blanket policy rejecting all candidates with criminal records |
The EEOC and FTC joint guidance recommends that employers conduct an individualized assessment before taking adverse action based on criminal history. This means considering the nature and gravity of the offense, the time that has passed, and the nature of the job. A blanket "no criminal history" policy violates EEOC guidance and may violate Title VII through disparate impact. The human resource laws guide covers the full set of federal employment laws and how they interact.
Frequently Asked Questions
What does FCRA stand for in HR?
In HR, FCRA stands for the Fair Credit Reporting Act, the federal law that governs how employers can use background checks (called 'consumer reports') in hiring decisions. It requires employers to get written consent before running a background check, provide the check on a standalone disclosure form, and follow a specific adverse action process if the results affect the hiring decision. FCRA applies to every US employer regardless of size.
Does FCRA apply to small businesses?
Yes. FCRA applies to every employer that uses a consumer reporting agency (CRA) to obtain a consumer report on a candidate or employee, regardless of company size. Whether you have 5 employees or 5,000, if you use a third-party service to run a background check, FCRA applies to you. The law does not have an employee-count threshold like Title VII (15+) or FMLA (50+).
Does FCRA cover independent contractors?
Yes. FCRA applies to background checks on employees, independent contractors, and volunteers. Any time you obtain a consumer report from a CRA for an employment purpose (hiring, promotion, reassignment, or retention), FCRA requirements apply regardless of the worker's classification.
What is the difference between FCRA and FACTA?
FACTA (Fair and Accurate Credit Transactions Act of 2003) is an amendment to FCRA, not a separate law. FACTA added requirements including the right to free annual credit reports, identity theft protections, and the disposal rule requiring secure destruction of consumer report information. For employers, the most relevant FACTA provision is the disposal rule: you must securely destroy consumer reports and related information when you no longer need them.
How long must I keep FCRA records?
FCRA itself does not specify a retention period for employer records, but the EEOC recommends retaining all hiring records for at least one year from the date of the hiring decision. If a charge of discrimination is filed, retain records until the case is resolved. Best practice for small businesses: keep consent forms, consumer reports, and adverse action notices for at least 5 years in a secure, access-controlled system.
Do I need a separate FCRA form for each state?
You need a single federal FCRA disclosure and authorization form for all states. However, several states require additional disclosures or have stricter rules. California requires a checkbox indicating the type of investigation. New York requires a copy of Article 23-A. San Francisco, Philadelphia, and other cities have ban-the-box timing requirements that affect when you can run the check. Check your state and local requirements in addition to federal FCRA.