BSCC Response to Public Comment
Contents
1. CRA shall present written procedure for obtaining employee written certification that employee will adhere to CRA s confidentiality security and legal compliance practices If questioned CRA employees shall confirm they were required to provide this certification Auditor may ask to see but not retain copy of the certification sianed bv one or more emplovees CRA shall present written procedure for providing training to employees regarding confidentiality security and legal compliance practices of CRA CRA shall make available to auditor any materials used for such training If interviewed CRA employees shall describe training which was received CRA shall present written procedure for ensuring visitor security which prevents access to consumer information CRA shall make available theperson responsible for visitor security program This person shall be able to describe and or provide documentation related to visitor security and access control If questioned CRA employees shall CRA shall present written procedure for conducting a criminal records check every two years on all employees with access to consumer information CRA shall make available the person responsible for retaining these reports and auditor may ask CRA to demonstrate where how reports are retained as well as to see but not retain a copy of completed criminal records check report from one or more employees CRA shall present procedures which are in place to2. absolutes and rather use language similar to academic institution appears to be a diploma mill because it sells academic credentials 5 3 Diploma mills is an undefined term CRA shall make available to auditor tools or systems used to disclose CRA shall provide information to employers regarding general verification business practices by using various methods which include but are not limited to 1 product descriptions 2 statement of work documents 3 written agreements and or detail provided in the verification itself Disclosed information regarding general verification business practices includes but is not limited to 1 number of attempts to verify information 2 what constitutes an attempt 3 fees charged by the employer or service provider and 4 standard question formats NAPBS CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA an employee s current employer can be contacted for verification purposes and not former employers Such the word directly so as not to prohibit CRA from contacting a third party verification source that does not report contacts back to the employer We have also amended the language in the Measure and audit criteria to be consistent with the changes to the Clause The BSCC does not feel it necessary to define the term diploma mill within the Standard but would offer as reference The Higher Education Opportunity Act which defines a diploma mill as follows DIPL
3. confirmation of information source name address and contact information and 3 soliciting information from a source rather than providing leading information i e asking for job title rather than providing title and askinn far confirmation 4 8 there is a reference to a qualified individual See above sections calling for qualified individuals for person available either in person by phone OR shall provide a signed experience with court records with the current CRA employer or other CRA s our concerns The measure is more specific in this instance however it appears to offer little guidance on BSCC Response Qualified is defined in Column D Attributes of and Suggestions for Onsite Audit 5 1 Similar to our concerns with 4 7 we feel that the standard should match the language articulated by the The BSC has re worded the Clause to allow for reasonable procedures for assuring maximum possible accuracy when conducting verifications The BSCC has added the word may in two places in the on site audit criteria so as Not to restrict the CRA s ability to use or develop additional methodologies for reasonably assuring accuracy CRA may provide information regarding verification of current employment to 5 2 Regulates reference checks The phrasing of this clause is unclear and creates the impression that only The BSCC has moved the word only to clarify the Clause We have also added employees who are responsible for suc
4. is being use How is demonstrating going to be defined The word thorough is being use Through can be define an perfect masterful etc do not like that word BSCC Response The BSCC has changed the Clause to read The CRA shall designate an individual s or position s within the organization responsible for CRA s compliance with all sections of the federal FCRA that pertain to the consumer reports provided by the CRA for employment purposes The BSCC has also removed the words or retain from the Measure to clarify that the CRA must have an employee within their organization responsible for compliance While CRAs may rely on outside counsel or consultants for guidance the CRA must have a designated individual on staff to address compliance The BSCC also removed and that s he is qualified to hold such responsibility from Attributes section Until such time a personal certification designation program is offered the CRA will be responsible for determining why how the compliance leader is qualified The BSCC made changes similar to Section 2 1 Compliance CRA Leader shall affirm his her role as being responsible for DPPA compliance within the organization Compliance CRA Leader shall affirm his her role as being responsible for state DPPA law compliance within the organization 2 3 reference qualified individuals This term is not sufficiently defined by the Standard Does it mean a lawyer is required
5. amount IfCRA does not maintain errors and omissions insurance CRA must provide documentation that they have self insured in conformance with state requirements CRA shall have a procedure to identify and authenticate all clients prior to disclosing consumer reports or other consumer information The procedure shall require the CRA to maintain written records regarding the qualification of each client who receives consumer reports or other consumer information CRA shall provide written policy procedure or other written documentation describing the requirement for and method used to authenticate clients prior to providing consumer reports or any consumer information to client CRA shall have a procedure to identify and authenticate all vendors prior to disclosing consumer information The procedure shall require the CRA to maintain written records regarding the qualification of each vendor who receives consumer information CRA shall provide written policy procedure or other written documentation describing the requirement for and method used to authenticate vendors prior to disclosing any consumer information to vendor CRA shall present written procedure for athenticating new clients and demonstrate where how authentication results are retained CRA shall make available the person responsible for such authentication and auditor may ask to see but not retain a copy of authentication records from one or more client companies I
6. and authentication thereof 2 verification of required private _ place to vet or qualify new public record researchers and states that the vetting records should include 4 for vetting Public Records Researchers The verification metrics referenced in the investigator license if such license is required 3 completed favorable verification of association memberships and 6 confirmation of certification under the NAPBS PROVIDER suggestions for the Onsite Audit are merely a suggestion of how the CRA could reference interviews from at least one current client 4 verification of GUIDELINES Please explain how association memberships are to be verified i e obviously we can verify determine the legitimacy and qualifications of the Public Records Researcher and association memberships such as local Chamber of Commerce Better NAPBS membership and BBB but if a public record researcher provides us with a current copy of their thereby demonstrate conformity with the Clause Business Bureau NCISS ASIS etc 5 results of test searches conducted membership card for an association membership must the CRA then follow up and verify the membership and 6 confirmation of certification under the NAPBS PROVIDER with the association This could be overly burdensome on personnel to do so Please also explain what GUIDELINES confirmation of certification of the NAPBS Provider Guidelines means Must the public record researcher pass the exam for providers o
7. clients sign an acknowledgement as well if they signed an old agreement without the acknowledgment language would propose that having Clients acknowledge that they received the FTC notices apply to new Clients because it is very burdensome to contact all existing clients and ask them to acknowledge receipt of something A much less burdensome requirement would be to require CRAs to make the notices available to all existing clients via online or email and require the CRA to provide required notices as part of a Client agreement User agreement etc for new clients NAPBS CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA The BSCC changed the Onsite Audit section to include verification that does not require a client s signature The documenttitled Remedying the Effects of Identity Theft has been removed from the list of currently required notices The Clause does not specifically require proof or acknowledgement of receipt of prescribed documents by the client butas a best practice this would be recommended PAGE 3 OF 11 BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM Standard with Audit Criteria Public Comment and BSCC Response Measure amp Documentation A eer A E Attributes of and Suggestions for Onsite Audit i Clause Typically Subject to Desk Audit Potential Verification for Onsite Audit What auditor should look for in policy procedure activity Public Comment Period Feedback BSCC Response Before providing consumer rep
8. does not compile maintain and resell employment or education information CRA shall provide written affirmation to that effect If CRA provides investigative consumer reports from stored data CRA shall present written policy procedure or other written CRA shall have procedures in place to ensure the CRA does not documentation to ensure CRA does not provide previously reported actual personally identifiable information to reasonably ensure that provide previously reported adverse information unless ithas been re verified within the past three months or for a shorter time verified within the past three months or for a shorter time if required law in CRA s database is re verified prior to such information being by state or local law IfCRA does not utilize stored data CRA shall included in a new consumer report If interviewed CRA employees if required by state or local law CRA shall have procedures in place to document all verification attempts made and the result of each attempt in completing all verification services Attributes of and Suggestions for Onsite Audit Fotentlali Verification tor Onsite Audit What auditor should look for in policy procedure activity Public Comment Period Feedback CRA shall make available to auditor tools or systems used except This clause addresses organizations that compile information for potential 5 5 and 5 6 the FCRA expressly establishes standards that should not be deviated from by NAP
9. have a policy that prohibits workers from searching files and databases unless they have a bona fide business necessity When records are to be destroyed or disposed of CRA shall follow FTC regulations and take measures to ensure that all such records and data are destroyed and unrecoverable CRA shall provide written policy procedure or other document employee handbook etc which instructs CRA employees on _ appropriate and or inappropriate use of consumer information _ CRA shall provide written policy procedure or other document employee handbook etc which instructs CRA employees on appropriate document destruction procedures CRA employees with access to consumer information shall demonstrate knowledge of proper use of consumer information and be able to access current copy of documentation le business purposes only and include prohibition of browsing CRA employees shall demonstrate knowledge and use of proper document destruction procedures and be able to access current documentation Documentation should require all consumer and client information be disposed of securely as to render information inaccessible unreadable and or unrecoverable per current FTC rules in which the following methods are permitted 1 burning pulverizing or shredding 2 destroy or erase electronic files and or 3 after conducting due diligence hire a document destruction company In additio
10. how important it is to fully understand their legal which is signed by the client and includes client acknowledgement Such requirements The Clause does not require that the CRA obtain proof that the end acknowledgment must include butis not limited to 1 CRA is not legal user has consulted counsel They are just required to recommend it counsel and does not provide legal advice 2 advising client of importance of working with their legal counsel to ensure overall screening program compliance and 3 advising clients that consumer reports provided by CRA must be used in compliance with state and federal law CRA may provide information to clients regarding how to order retrieve read Based on further consideration beta test feedback and or legal review the BSCC and understanding consumer reports by using one or more methods which has added the words the information provided in to clarify that the CRA is not include but are not limited to 1 user manual guide 2 online training user required to provide legal advice in terms of how to use the information guides or help system 3 user training classes webinars 4 one on one training sessions or 5 verbal assistance CRA shall inform clients of client s legal requirements regarding protection of consumer data as part of a Client agreement User agreement or through some other document which is signed by the client and includes butis not limited to client acknowledgement of consumer da
11. how to advise clients CRA employees responsible for verification of academic credentials and advising clients shall be able to access current copy of documentation AND OR CRA employees shall identify person s responsible for such activity CRA shall provide full disclosure to clients about general business practices regarding number of attempts to verify information what constitutes an attempt locate fees fees charged by the employer or service provider and standard question formats prior to providing such services CRA shall present written policy procedure client education material or other written documentation methodology used to to client general practices regarding verification practices including provide full disclosure to a client about general business practices attempts to verify fees question formats etc CRA shall present regarding number of attempts to verify information what constitutes written procedure for providing information to clients that accurately an attempt locate fees fees charged by the employer or service describes products including one or more samples of provided provider and standard question formats prior to providing such documents If consumer reports are used to demonstrate full and services accurate procedural disclosure all personally identified information shall be redacted and auditor will not retain copy If interviewed CRA employees shall demonstrate knowledge that pro
12. person who is responsible for CRA shall present written job description policy procedure or other searches may be conducted without violating state or federal law The documentation shall describe how results of these checks are evaluated in relation to employee s access to consumer information state federal law and initial or continued employment CRA shall provide written policy procedure or other documentation describing the methods used to reasonably ensure the accuracy and quality of all work product administer the accreditation processes and future compliance by CRA s accreditation activity and on going compliance with the CRA including enforcement of the standard by all concerned applicable standards requirements as evidenced by written job This person shall be vested with the responsibilities and authority description s or other documentation If multiple people are attendant to this task and shall be the CRA contact for the auditor and accreditation related matters for NAPBS FEBRUARY 16 2009 responsible one person shall hold overall responsibility as evidenced by written job description or other documentation Potential Verification for Onsite Audit CRA shall present written document retention and destruction policy CRA shall make available the person responsible for document retention and destruction If interviewed this person shall demonstrate understanding of retention and destruction requirements
13. researcher in this Clause as a person or entity not working the scope of services agreed to by CRA and researcher including of services is obtained from and retained for all current public record are retained CRA shall make available the person responsible for jurisdictions covered 3 search methodology 4 depth of search 5 creating new conflicting or unintended legal obligations Moreover we believe itis inappropriate to attempt as an employee of the CRA Additionally the BSCC has removed the reference to jurisdictions covered search methodology depth of search researchers CRA shall also provide copy of currentagreement _ obtaining and retaining these agreements and auditor may ask to see disclosure of findings 6 methodology and time frame for communication and to restrict to a single model the business relationships with its own employees or contractors pursued by those furnishers in the last sentence of the Clause The onsite audit has also been disclosure of findings methodology and time frame for Note This agreement may also incorporate Certification but not retain a copy of signed agreements from one or more public completion of requests 7 methodology for confirming identity of subject of in the background screening industry rewritten to include a grandfather clause for public record researcher agreements communication and completion of requests methodology for requirements of Clause 4 3 record researchers Agreements executed
14. the CRA need only demonstrate conformiaty with this beginning with the date of knowledge that pre requisites exist before clientis permitted access to asking existing clients to sign a new agreement is both burdensome on the client to review and also their application to become accredited CRA s products systems and how the employee knows itis burdensome on the CRA personnel who have to distribute negotiate and track new agreements for existing permissible to activiate access clients SO pe SS a a ee ee eS eee CRA shall have procedures in place to inform client that they CRA shall provide written policy procedure or other documentation CRA shall present written procedure for informing client that they CRA shall inform clients that they have legal responsibilities and recommend 3 1 The attributes of and suggestions for onsite criteria section for these standards spell certain The BSCC received several comments regarding addressing legal responsibilities have legal responsibilities when using consumer reports for describing how when clients are informed that they have legal have legal responsibilities and recommending that client consult with that clients seek legal counsel as part of a Client agreement User agreement requirements that the Client agreements must contain If all of the requirements are not contained in the The BSCC agrees that the CRA should not be providing legal advise The BSCC employment purposes CRA shall recommend that cli
15. 1 written manuals 2 online manuals or instructions 3 classroom training 4 on the job training and or availability of requirement describe methodology by which they learn how to obtain expert to provide assistance when needed If classroom or on the job training accurate verifications CRA employees responsible for verification accuracy shall be able to access current copy of documentation AND OR CRA employees shall identify person s responsible for accuracy CRA shall have procedures in place to contact consumer s current employer directly only when authorized by client and or consumer CRA shall provide written policy procedure or other documentation CRA shall make available to auditor tools or systems used except used to ensure consumer s current employer is not contacted actual personally identifiable information to reasonably ensure direclty unless consumer and or client has provided explicit authorization by the consumer and or client If interviewed CRA employees responsible for verification of current employment shall demonstrate current employer is not directly contacted without explicit authorization methods which may include butare not limited to 1 written manuals 2 lis used a training outline or manual may be used Methods used to reasonably ensure verification accuracy may include but are not limited to confirmation of identity through verification of SSN full name and or date of birth 2
16. BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM Standard with Audit Criteria Public Comment and BSCC Response Measure amp Documentation Clause Typically Subject to Desk Audit Data Information and Security CRA shall have a written information security policy CRA shall designate one or more individuals within the organization who are responsible for implementing managing and enforcing the information security policy CRA shall provide written information security policy aes e T CRA shall present written information security policy If questioned Potential Verification for Onsite Audit CRA employees should demonstrate knowledge of information security policy and be able to access current policy Attributes of and Suggestions for Onsite Audit What auditor should look for in policy procedure activity This is an overarching information security policy which broadly addresses security within the CRA environment This policy may reference other security policies and or procedures dealing with specific security topics The security topics addressed may include some or all of the following but are not limited to confidentiality agreements with vendors and employees physical security of consumer information electronic security of consumer information communicating consumer information to vendors clients and other parties providing and communicating information to consumers permissible uses of po
17. BS s actual personally identifiable information to reasonably ensure data future use or sale CRA may provide information regarding accuracy of stored approach For example 5 5 refers to resellers and credit bureau information 5 5 is designed to address compiled and stored is accurate If interviewed CRA employees data to employees who are responsible for such accuracy by using various _reuse of stored data This does not comport with the definition of reseller in the FCRA and in all likelihood responsible for accuracy of stored data shall demonstrate knowledge methods which include but are not limited to 1 written manuals 2 online any contract that the CRA would have with the credit bureaus Reseller is a term of artin the FCRA used to of accuracy requirement and describe methodology used to ensure manuals or instructions 3 classroom training 4 on the job training and or describe those who merely act to pass through data from another consumer reporting agency that actually accuracy CRA employees responsible for accuracy of stored data _ availability of expert to provide assistance when needed If classroom or on maintains the data to an end user The definitions of the FCRA expressly exclude those who maintain the shall be able to access current copy of documentation identify the job training is used a training outline or manual may be used Methods data from the definition of reseller Moreover tho
18. OMA MILL The term diploma mill means an entity that A i offers for a fee degrees diplomas or certificates that may be used to represent to the general public that the individual possessing such a degree diploma or certificate has completed a program of postsecondary education or training and ii requires such individual to complete litte or no education or coursework to obtain such degree diploma or certificate and B lacks accreditation by an accrediting agency or association that is recognized as an accrediting agency or association of institutions of higher education as such term is defined in section 102 by i the Secretary pursuant to subpart 2 of part H of title IV or ii a Federal agency State government or other organization or association that recognizes accrediting agencies or associations PAGE 7 OF 11 BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM Standard with Audit Criteria Public Comment and BSCC Response Clause If CRA compiles maintains and resells employment or educational verification information CRA shall have procedures in place to ensure that data compiled and stored is accurate including procedures for handling consumer disputes Measure amp Documentation Typically Subject to Desk Audit CRA shall present written policy procedure or other written documentation used to ensure that data compiled and stored is accurate including procedures for handling consumer disputes If CRA
19. a direct describing how conflicting data when received within 120 of report described in 5 9 shall demonstrate knowledge of proper procedures result of the initial inquiry that conflicts with originally reported completion and as a direct result of original inquiry is provided to _ and be able to access current copy of documentation information and that new information is received within 120 days client who originally ordered such report of the initial report or as may be required by law CRA shall have procedures in place to notify client of such information FEBRUARY 16 2009 NAPBS CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA phone number dialed fax number used email address used address to make clients aware of procedures used in attempting verifications including the number and types of which information was mailed etc 3 name and title of contact 4 results of attempts for completion where appropriate Alternatively limit this clause to employment and reference attempt and 4 the CRA employee who made the attempt or obtained reporting information CRA shall present written procedure for obtaining signed agreement The agreement should include butis not limited to 1 the requirement to documentation describing how a signed agreement covering scope copy of agreement and demonstrate where how signed agreements conduct all verifications in full compliance with applicable law and regulation 2 scope o
20. at client will not use consumer information in violation of any state or federal for accreditation While it may be burdensome to the CRA and or the client the FCRA and where such agreements are retained CRA shallalso _ see but not retain a copy of signed agreements from one ormore _law including equal employment opportunity laws 2 7 The attributes of and suggestions for onsite criteria section for these standards spell certain FCRA requires written certification from Client that they will comply with the provide copy of agreement document clients Should requested agreements predate CRA s application requirements that the Client agreements must contain If all of the requirements are not contained in the provisions of the FCRA Therefore CRA must obtain from all clients a signed date for Accreditation auditor will only look to identify language Client agreement but have been provided to Clients via other avenues on Client accessible online sites or via agreement specifically documenting compliance with the FCRA In terms of the regarding compliance with FCRA CRA employees responsible for documents given to clients must the CRA go back to all existing clients and ask them to sign new or language regarding compliance with additional applicable state and federal laws activating client access to CRA systems products shall demonstrate additional agreements understand the requirement for including all of that information going forward but
21. ation requirement prior to utilizing services of public record researcher OR technology shall prevent utilization of public record researcher by CRA employees until ICDA CDA Lasdar hac anahlad nen CRA shall obtain proof of public record researcher s Errors and Omissions Insurance If public record researcher is unable to provide proof of insurance CRA shall maintain coverage for uninsured and or underinsured public record researcher CRA shall provide written policy procedure or other written documentation describing the requirement to and method used to verify public record researcher s Errors and Omissions insurance and that such insurance remains in force If researcher does not have or cannot prove existing coverage CRA shall provide copy of CRA s insurance policy which contains E amp O coverage for uninsured underinsured public record researchers record researcher s E amp O insurance and demonstrate where how such researchers No specific amounts required but a minimum of two million in proof documentation is retained CRA shall make available the coverage is recommended person responsible for retaining this proof and auditor may ask to see but not retain a copy of such proof from one or more public record researchers In addition auditor may ask to see but not retain copy Lof CRA s E amp O insurance policy in which coverage for uninsured underinsured public record researchers is provided If interviewed CRA
22. cedural requirements exist where such requirements are documented LANDAR the nerson resnonsihle for CRA s nroducts FEBRUARY 16 2009 Methods used to reasonably ensure consumer s current employer is directly contacted only with authorization may include but are not limited to 1 authorization provided on employment application 2 explicit authorization provided within Disclosure Authorization signed by consumer 3 Specific directive provided by client AND OR 4 technology shall prevent verification of current employment by CRA employees until CRA Leader has so enabled CRA may provide information regarding verification of academic credentials from diploma mills to employees who are responsible for such verification by using various methods which include but are not limited to 1 written manuals 2 online manuals or instructions 3 classroom training 4 on the job training and or availability of expert to provide assistance when needed If classroom or on the job training is used a training outline or manual should be used Methods used to reasonably ensure identification of diploma mill include but are not limited to 1 a check of CRA s existing database or list of known diploma mills 2 a check with the council for higher education 3 state education departments and or 4 an internet search of the academic institution When advising client regarding diploma mills and putting such information in consumer report CRA shall avoid
23. cks on owners principals and employees charged with enforcement of company policy to confirm these individuals are free of convictions for any crimes involving dishonesty fraud or moral turpitude CRA shall affirm in writing that owners officers principals and employees charged with the enforcement of company policy are free of convictions for any crimes involving dishonesty fraud or moral turnitude CRA shall present written procedure for conducting criminal history record checks on owners principals and employees charged with the enforcement of company policy CRA shall also demonstrate how results are reviewed for acceptability and where records are retained CRA shall make available the person responsible for these checks and auditor may ask to see but not retain a copy of criminal history check results This clause refers only to the entity being accreditated and not any parent company It covers owners managers and supervisory personnel who are charged with enforcement of company policy See Clause 6 10 for all CRA employees Criminal record checks shall be free of criminal convictions for dishonesty fraud or moral turpitude ICRA shall maintain errors and omissions insurance If CRA does not maintain errors and omission insurance CRA must self insure in a manner compliant with its state s insurance requirements CRA shall provide copy of Certificate of Insurance listing errors and omissions policy coverage
24. der shall affirm his her role as being responsible for organization responsible for CRA s compliance with all sections of CRA s development implementation and on going compliance with documentation which identifies by name and or title the person the federal FCRA that pertain to the consumer reports provided by the CRA for employment purposes The CRA shall designate an individual s or position s within the organization responsible for compliance with all state consumer reporting laws that pertain to the consumer reports provided by the CRA for employment purposes The CRA shall designate an individual s or position s within the organization responsible for compliance with the DPPA that pertain to the consumer reports provided by the CRA for employment purposes if the CRA furnishes consumer reports that contain information subject to the DPPA Ifthe CRA furnishes consumer reports that contain information subject to the DPPA implementing statutes in a particular state s the CRA shall designate an individual s or position s within the organization responsible for compliance with state implementations of the DPPA that pertain to the products and services provided by the CRA for employment purposes all applicable sections of the FCRA as evidenced by written job description s or other documentation If multiple people are responsible one person shall hold CRA Leadership role and overall responsibility as evidenced by
25. discovery by the plaintiff of the violation that is the basis for such liability or 2 5 years after the date on which the violation thatis the basis for such liability occurs CRA s are subject to the FTC s document destruction tule which currently requires secure destruction through means that are reasonable and appropriate to prevent the unauthorized access to or use of information in a consumer report For example establishing and complying with policies to burn pulverize or shred papers so that the information cannot be read or reconstructed destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed or conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as canciumear ranart infarmatian cancictant with the R iila Certification language may include butis not limited to agreement by employee to 1 hold use and destroy all client and consumer information in a secure manner 2 provide consumer information to third parties only after following defined authentication procedures 3 abide by physical security practices 4 abide by information security practices and 5 follow all compliance practices of the CRA CRA may provide training to employees regarding confidentiality security and legal compliance practices by using one or more methods which include but are not limited to 1 written materia
26. e laws governing the content of a consumer report are applicable to court researchers providing raw research The Standard was intentionally non specific in terms of business practices As data security standards are constantly changing the BSCC has refrained from specifying the methodology for securing data transmissions Active is not defined in terms of volume or occurance but in terms of intent Ifa researcher is identified to receive searches in a particluar area if the CRA has a need there the researcher is deemed active The BSC has rewritten the Clause to allow for reasonable procedures for assuring maximum possible accuracy when determining the identity of a consumer who is the subject of public record As the reporting of name match only records is not addressed in law this remains a business decision of the CRA Due to the potential exposure to the end user and the potential damange to the consumer if the CRA elects to reportname match only cases the Clause requires that they identify such to the end user z i ae FEBRUARY 16 2009 NAPBS CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA PAGE 6 OF 11 BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM Standard with Audit Criteria Public Comment and BSCC Response Measure amp Documentation Typically Subject to Desk Audit Potential Verification for Onsite Audit Clause The CRA shall designate a qualified individual s or position s within the organization respons
27. ed except see Public Comments from Clause 5 5 directly above adverse information stored in CRA s database unless it has been re adverse data older than 3 months or less if so required by applicable which include but are not limited to 1 written manuals 2 online manuals or provide written affirmation to that effect CRA shall present written policy procedure or other written documentation used to ensure that all attempts made to verify information are fully documented instructions 3 classroom training 4 on the job training and or 5 availability of expert to provide assistance when needed If classroom or on the job responsible for use of such data shall demonstrate knowledge of 3 training is used a training outline or manual may be used Such information month re verification requirement and describe methodology used to and or training shall include what constitutes adverse information for ensure compliance CRA employees responsible for use of stored different types of background checks through 1 definition 2 examples data shall be able to access current copy of documentation shall and or 3 by referring CRA employees to designated expert identify person s responsible for use of stored data AND OR technology shall prevent utilization of stored adverse data which is older than 90 days CRA shall make available to auditor tools systems or methods used CRA may provide information regarding attempts to
28. employees responsible for working with public record researchers shall demonstrate understanding of E amp 0 requirement prior to utilizing services of public record researcher OR technology shall prevent utilization of public record researcher by LCRA amninvaac until CRA CRA aadar hac anahlad uco CRA shall provide a secure means by which public record CRA sh CRA shall present written procedure for sending consumer Security procedures for personally identifiable information should include but 4 5 CRA shall provide a secure Whatis defined as secure researchers will receive orders and return search results information to and receiving consumer information from public record lare not limited to 1 all transmissions should directed to a named party 2 all researchers CRA shall make available the person responsible for transmissions must be clearly marked as CONFIDENTIAL and include a security of transmitted consumer information and auditor may ask to request to notify sender if received by someone other than named party 3 if see demonstration of security tools in use For each transmission faxed a cover page should always be used and must not contain any method CRA may be asked to demonstrate the security controls personally identifiable information 4 if faxed CRA shall have verified which are in use receiving fax is in a non public location 5 if transmitted using CRA network such network should be secured using a
29. ems and or consumer data CRA shall make available the procedure process and or tools used to monitor access and identify potential intrusions CRA should be able to present proof of tools used to protect network data and consumer information This may be intrusion detection testing results firewall protections used secure website etc CRA shall provide procedures for responding to information system intrusions including how consumer notification requirements are determined CRA shall make available the procedure process and or tools used to respond to intrusions If questioned CRA employees should demonstrate knowledge of procedure to be followed in case of intrusion or suspected intrusion and be able to access current documentation Process procedure should include some or all of but is not limited to 1 individual to contact in case of intrusion and his her back ups 2 necessity of immediately stopping intrusion activity if still occurring 3 determination of Notification requirements 4 preparing notification 5 obtaining necessary approvals of notification language 6 communicating notification and 7 de brief to prevent future occurrences ICRA shall have procedures in place to ensure backup data is stored in an encrypted or otherwise protected manner CRA shall provide written policy procedure or other documentation explaining data backup storage and access procedures CRA shall make avai
30. ent consult responsibilities when using consumer reports for employment client s legal counsel or through some other document which is signed by the client and includes Client agreement but have been provided to Clients via other avenues on Client accessible online sites or via changed the wording of this Clause to reflect that the CRA shall inform client that their legal counsel regarding their specific legal responsibilities purposes and when how CRA recommends that clients consult their butis not limited to client acknowledgement of legal responsibilities Per the documents given to clients must the CRA go back to all existing clients and ask them to sign new or they have legal requirements not what they are Also replaced advise with legal counsel regarding client s specific legal responsibilities FCRA current legal responsibilities include 1 having permissible purpose 2 additional agreements understand the requirement for including all of that information going forward but recommend disclosing to consumer 3 obtaining consumer authorization 4 following asking existing clients to sign a new agreement is both burdensome on the client to review and also prescribed adverse action procedures 5 complying with all applicable state burdensome on the CRA personnel who have to distribute negotiate and track new agreements for existing and federal law and 6 obtaining retaining using and destroying data in a clients confidential
31. er document which is signed by the client and includes client acknowledgement of receipt of required notices or provide provide such documents Per the FCRA such notices currently include 1 organization FEBRUARY 16 2009 and 2 A Summary of Your Rights Under the Fair Credit Reporting Act other written documentation as to CRA s policies amp procedures as to how they Notice to Users of Consumer Reports Obligations of Users under the FCRA 2 6 That standard states that clients must be provided all federal FTC prescribed documents The attributes jofand suggestions for onsite criteria section of the CRA Standards with audit criteria spreadsheet states that one of the FTC prescribed notices is entitled Remedying the Effects of Identity Theft From reading of the language contained in the notice itseems like something a CRA would give to a consumer not something a CRA must give to a client would propose that the Remedying the Effects of Identity Theft document be something a CRA be required to give to a consumer anytime a consumer states they are a victim of identity theft rather than be a notice that must be given to clients 2 6 The attributes of and suggestions for section states thata CRA may provide the notices as part of a Client agreement etc If a CRA places an acknowledgement in their Client agreement that the client has received all of the notices going forward for new clients does the CRA have to have existing
32. ere as expected and E any re ial actions taken 4 6 assurance in regard to their active public record researchers Whatis active Recommended procedures may include but are not limited to 1 matching a 4 7 CRA shall have procedures in place to confirm What is confirm CRA shall present written documentation for assuring maximum possible accuracy when determining the identity of a consumer who is minimum of two identifiers which may include name date of birth SSN CRA shall follow reasonable procedures to assure maximum jens shall provide written policy procedure or other written possible accuracy when determining the identity ofa consumer documentation describing procedures used to assure maximum who is the subject of a record prior to reporting the information possible accuracy when determining the identity of a consumer who the subject of a record prior to reporting the information CRA shall current and previous addresses and or driver s license number and or 2 CRA shall have procedures in place to notify client of any adverse js the subject of a record prior to reporting the information CRA present written documentation for notifying client of any adverse stating in client report which identifiers were used to conclude a match information that is reported based on a name match only shal provide written policy procedure or other written information thatis reported based on a name match only CRA shall ex
33. f interviewed CRA employees responsible for providing consumer information to clients shall demonstrate understanding of authentication requirement prior to providing consumer information to clients OR technology shall prevent providing such information to clients until CRA Leader has enal hled nracess Client authentication methods may include but are not limited to 1 obtaining evidence of right to conduct business such as copy of business license articles of incorporation state filing etc and authentication thereof 2 verification of working business phone fax email and website 3 verification of listing in business directories such as yellow pages Hoover s Dun and Bradstreet etc and 4 onsite inspection to confirm business facility exterior and interior appearance meet common business norms for this type of business CRA shall present written procedure for athenticating new vendors and demonstrate where how authentication results are retained CRA shall make available the person responsible for such authentication and if interviewed this person shall demonstrate understanding of authentication requirements Auditor may ask to see but not retain a copy of authentication records from one or more vendor companies In the case of vendors which are recognized and commonly utilized by CRAs a signed agreement between the vendor and CRA will suffice as authentication Such vendors include but are not limited to
34. f services provided 3 methods used to obtain information 4 time obtaining and retaining these agreements and auditor may ask to see frame for communication and completion of requests 5 methodology for confirming identity of subject of verification 6 confidentiality requirements 7 reinvestigation requirements 8 documented attempts to verify per Clause 5 4 9 background check requirements and acceptable results for provider s employees and 10 signed non disclosure agreements from provider s employees In particular the agreement should emphasize confidentiality requirements including A the legal requirement to treat all consumer information as confidential B secure data transmission and C secure and timely disposal of confidential information CRA may provide information regarding processing and reporting of conflicting data to employees who have this responsibility by using various methods which include but are not limited to 1 written manuals 2 online manuals or instructions 3 classroom training 4 on the job training and or availability of expert to provide assistance when needed If classroom or on the job training is used a training outline or manual may be used Information regarding handling and reporting of conflicting data should include butis not limited to 1 confirmation that conflicting information is specifically related to same consumer same customer and original report 2 verification of
35. h verification by using various result implies that a background screener could not even contact companies that maintain verification databases such as Talx online manuals or instructions 3 classroom training 4 on the job training and or availability of expert to provide assistance when needed If classroom knowledge of authorization requirement and describe methodology by or on the job training is used a training outline or manual should be used which they learn about such requirement CRA employees responsible for current employer contact shall be able to access current copy of documentation AND OR CRA employees shall identify person s responsible for such contact When attempting educational verifications from known or CRA shall provide written policy procedure or other documentation CRA shall make available to auditor tools or systems used to suspected diploma mills CRA shall have procedures in place to used to reasonably ensure validity of academic institution and reasonably ensure identification of diploma mills and to advise client advise client of such advise client of findings when the institution is a known or suspected when applicable If interviewed CRA employees responsible for diploma mill verification of academic credentials received from diplomas mills and advising client shall demonstrate knowledge of diploma mills and describe methodology by which they learn about such diplomas mills and
36. he person responsible for such vetting and auditor may ask to see but not retain a copy of vetting records from one or more public record researchers If interviewed CRA employees responsible for working with public record researchers shall demonstrate understanding of vetting requirement prior to utilizing services of public record researcher OR technology shall prevent utilization of public record researcher by CRA employees until CRA Leader has enabled use from subcontractors if subcontractors are used In particular the agreement a miss understanding is occurring here is our major dispute and followed with comments should emphasize confidentiality requirements including A the legal Agreement requirements In summary the vendor must certify they will follow all applicable state and federal requirement to treat all consumer information as confidential B secure data laws in writing In our opinion this includes reporting restrictions transmission and C secure and timely disposal of confidential information _ P otential Audit If interviewed CRA employees responsible for working with public record researchers shall Note This agreement may incorporate the Certification requirement of demonstrate understanding of requirement for signed agreement prior to utilizing services of a public record Clause 4 3 researcher Okay so if we understand this correctly we are responsible for having a signed agreement specifically covering ce
37. hich is needed for the specific business purpose which has been identified 3 When communicating SSN s or other data elements as required by law outside the LCRA environment secure transnort methods shall be used When reporting potentially adverse criminal record information derived from a non government owned or non government sponsored supported database pursuant to the federal FCRA the CRA shall either A verify the information directly with the venue that maintains the official record for that jurisdiction prior to reporting the adverse information to the client or B send notice to the consumer at the time information is reported Legal and Compliance ICRA shall provide written policy procedure or other documentation describing method s used to comply with current FCRA requirements of source verification or sending notice to the consumer at the time information is reported ICRA employees responsible for the use of non governmental criminal record databases shall demonstrate knowledge of compliant database reporting and be able to access current documentation The policy procedure should include either 1 process for verification of database information by researching in the originating jurisdiction venue or 2 process to inform applicant of potentially adverse information being reported to employer prospective employer Documentation should include statement of appropriate use as being limi
38. ible for understanding court terminology as well as understanding the various jurisdictional court differences if CRA reports court records CRA shall employ or retain a minimum of one person who is CRA shall present written job description policy procedure or other responsible for CRA s understanding implementation and on going documentation which identifies by name and or title the person use of court terminology as well as variances which may exist at the responsible for courtjurisdictional knowledge CRA shall make this jurisdictional level as evidenced by job description or other documentation If multiple people are responsible one person shall affidavit or similar document in which the person has affirmed their hold CRA Leadership role and overall responsibility as evidenced by written job description or other documentation and that s he is qualified to hold such responsibility If interviewed this individual shall demonstrate knowledge of court and jurisdictional Attributes of and Suggestions for Onsite Audit What auditor should look for in policy procedure activity Public Comment Petled Feedback An individual may be qualified if they have one or more of the following 1 criminal justice degree 2 law enforcement experience 3 legal experience 4 court experience 5 investigator experience and or 6 three years work 4 8 how is qualified being defined Compliance CRA Leader shall affirm his her role as being
39. ing attempts to verify should include butis not limited to 1 infrastructure necessary for documenting ALL attempts for ALL types of verifications is high 3 Perhaps be documented where such requirements are documented identify date and time of contact or attempted contact 2 method of contact such as unnecessary Instead of clause 5 7 as written a clause stating something along the lines of CRA s shall BSCC Response The BSCC have removed the term reseller to clarify the intent of the Clause and has also removed the last sentence addressing technological tools from the suggestions for onsite audit The BSCC has changed the wording they do to the CRA does to further clarify the Clause No other changes were made The BSCC does not agree that documenting verification attempts is burdensome The Clause falls under the Section Verification Services Standards This does not apply to services other than employment education and license verifications as well as reference interviews The BSCC has replaced the word record to document and has inseted the word verification in two places within the Clause for further clarification Additionally Clause 5 4 addresses procedural disclosures to clients about general business practices regarding number of attempts to verify information etc the person responsible for CRA s products and processes AND OR technology shall automatically capture attempts to verify and related inf
40. isted and or 3 stating information is based on a name match only if CRA documentation describing procedures used to notify client of any make available the person responsible for ensuring compliance with reports based on single identifier adverse information that is reported based on a name match only CRA s policy in regard to assuring maximum possible accuracy when reporting adverse information based on a name match only CRA employees responsible for such identification shall demonstrate knowledge of identification requirement and be able to access current Clause 4 7 We have CRAs reporting name match only How do you verify adverse data on name only We should add that we will not report name only information BSCC Response The legal and ethical conduct aspects of this Clause only address Public Records Researchers as thats the subject of this section of the Standard The BSCC has added the term applicable to the first sentence of the Clause however has made no further changes A concern was expressed that requiring public record researchers to conduct research in compliance with all applicable local state and federal laws imposes additional requirements on researchers and would infringe on the CRAs responsibility to make sure that the consumer report itself was in compliance with applicable law The BSCC agrees thatthe CRA is solely responsible for the content of the consumer report and does not believe that th
41. l 2 online training 3 training classes webinars 4 one on one training sessions and or 5 on the job training Visitor security policy must include method s wihch prevent visitors from accessing consumer information These methods may include but are not limited to 1 use of sign in out registry 2 issuance of temporary badges 3 situations in which a CRA employee must escort the visitor 4 controlled access to systems and data and 5 controlled access to areas of facility in which consumer information is readilv available on screens or hard conv The evaluation of employee criminal check results and employment continued employment must comply with applicable state or federal law in relation to work performed by the CRA and licenses held by the CRA such as private investigator The evaluation of employee criminal check results may also include but are not limited to 1 position employee holds or will hold with CRA 2 the nature of the offense s 3 the time elapsed since the offense s occurred 4 the conduct of the employee since the offense s 5 evidence of rehabilitation and 6 employment history CRA may provide information regarding quality and accuracy of work product to employees who are responsible for such quality and accuracy by using various methods which include but are not limited to 1 written manuals 2 online manuals or instructions 3 classroom training 4 on the job training and or availability of expe
42. lable the individual responsible for data backup and storage This individual shall be able to describe and or provide documentation related to backup and data storage The process used to backup and store data should include limiting backup to select authorized individuals secure transport of backup tapes to storage facility and security at the storage location Ata minimum this includes _ locked storage facility and password protected access ICRA shall require strong password protocol pursuant to current security best practices which explains password protocol and how such protocol is used CRA shall provide written policy procedure or other documentation CRA shall make available the individual responsible for password protocol This individual shall be able to describe and or provide documentation related to password characteristics assignment replacement and recordkeeping If questioned CRA employees who use passwords shall explain process to obtain a password for him herself and or client and be able to access current documentation CRA shall have procedures in place to control access to all electronic information systems and electronic media that contain consumer information CRA shall have procedures in place to administer access rights Users shall only be given the access necessary to perform their required functions Access rights shall be updated based on personnel or system changes CRA
43. ly forbid bribery or any other fraudulent activity to obtain preferential treatment from a public official If interviewed CRA employees responsible for obtaining public record information shall demonstrate knowledge of anti bribery fraudulent activity policy and be able to access current documentation CRA shall affirm that they do not engage in bribery or other fraudulent activity and that CRA has never been convicted of such activitv advise Accreditation Review Board Board shall review specifics of case to determine whether CRA may proceed with the accreditation process If CRA has been convicted of bribery or other fraudulent activity auditor shall CRA shall provide client all federal FCRA required FTC prescribed documents which the federal FCRA mandates be provided to client by the CRA CRA shall provide written policy procedure or other written documentation describing when how clients are provided with copies of required FTC publications CRA shall make available to auditor one or more documents which provide evidence that CRA has provided prescribed documents to client CRA shall make available the person responsible for providing notices either in person by phone OR shall provide a signed affadavit or similar document in which the person has affirmed his her responsibility for compliance with notification requirements within the CRA may provide required notices as part of a Client agreement User agreement or some oth
44. ly if they are in the CRA s custody Any entity mailing or faxing consumer reports would be responsible for documents not even in its possession under this standard The BSCC has inserted under the control of the CRA into the Clause to clarify that this clause is addressing information under the control of the CRA Data transmission security is covered in other areas of the Standard Based on further consideration beta test feedback and or legal review the BSCC has removed effectively from the Clause FEBRUARY 16 2009 NAPBS CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA PAGE 1 OF 11 BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM Standard with Audit Criteria Public Comment and BSCC Response Clause Measure amp Documentation Typically Subject to Desk Audit Potential Verification for Onsite Audit Attributes of and Suggestions for Onsite Audit What auditor should look for in policy procedure activity CRA shall have procedures in place to control physical access to all areas of CRA facilities that contain consumer information CRA shall have a Consumer Information Privacy Policy detailing the purpose of the collection of consumer information the intended use and how the information will be shared stored and destroyed The CRA shall post this policy on its Web site if it has one and will make said policy available to clients and or consumers upon request in at least one other f
45. major credit bureaus repositories of education and employment data motor vehicle record resellers etc For unknown vendors authentication records may include but are not limited to 1 onsite inspection results 2 evidence of right to conduct business such as copy of business license articles of incorporation state filing etc and authentication thereof 3 verification of working phone fax numbers website email 4 reference through a minimum of one independent third party and or 5 previous experience of CRA when working with vendor CRA shall develop and implement requirements for what information consumers shall provide as proof of identity prior to providing file disclosure to the consumer The CRA shall maintain procedures to document the information used to identify each consumer to whom file disclosure is provided CRA shall provide written policy procedure or other written documentation describing how when consumer authentication identification occurs prior to disclosing consumer information and where record of such authentication is kept CRA shall present written procedure for confirming consumer s identify prior to providing any consumer information to such person Auditor may ask to see demonstration of consumer identifcation how CRA representative confirms identify of consumer and where record of authenthication is retained Consumer identification processes may include but are not limited to confi
46. manner CRA shall provide sample documents or inform client of specific CRA shall provide written policy procedure or other documentation CRA shall present documentation describing how when sample CRA Shall provide samples of documents which are required for client to Based on further consideration beta test feedback and or legal review the BSCC documents which are needed to meet legal requirements describing how when clients are provided with sample documents documents are provided and any sample documents which are procure and use consumer reports or shall inform them of required changed the clause to eliminate the words guidance and or to eliminate the regarding employer s procurement and use of consumer reports or how when clients are informed of specific documents which are provided or how when clients are informed of specific documents documents These currently include but are not limited to 1 disclosures and potential for interpreting this as requiring legal advice The intent of the Clause is to needed to meet legal requirements regarding employer s which are needed to meet legal requirements regarding employer s authorizations to meet current federal and state requirements including require the CRA only to provide what is specifically scripted in law not interpreting procurement and use of consumer reports If CRA provides sample procurement and use of consumer reports CRA shall make available special disclosure and authorization require
47. ments from one or more clients If interviewed CRA related to the use of CRA provided information are in compliance compliance employees shall demonstrate knowledge of CRA s position that legal with applicable state and federal laws counsel is not provided be able to access current copy of documentation AND OR CRA employees shall identify person s to address leaal tonics CRA shall provide guidance to client on how to order retrieve CRA shall provide written policy procedure or other documentation CRA shall present written procedure for informing client how to obtain read and understand the information provided in consumer describing how when clients are provided with information regarding and understand consumer reports from CRA CRA shall make reports provided by the CRA obtaining and understanding consumer reports CRA shall provide available the documents or systems used to so inform clients If copy of documents used to so inform client shall demonstrate interviewed CRA employees shall demonstrate knowledge of how online tools information such as User Guide provided to clients or such education is provided be able to access current copy of other method s used to assist clients documentation AND OR CRA employees shall identify person s to address such tonics CRA shall provide information to client regarding 1 the sensitive CRA shall provide written policy procedure or other documentation CRA shall present written procedure fo
48. ments in CA OK MN and NY 2 the law documents such documents shall also be provided the person responsible for providing sample documents or informing required forms and or information to obtain statewide criminal record clients of the specific documents needed If interviewed CRA searches in those states where currently required including AK IN MA NH employees shall demonstrate knowledge of client required NM NV OH VA WV WY 3 required forms and or information to obtain documents be able to access current copy of documentation driving records in those states where currently required including CA CO DE AND OR CRA employees shall identify person s to address such GA MD MI NH OH PA WA CRA may also provide sample disclosure topics authorization and or adverse action notices CRA may also include other documents which must be provided to clients as described in Clause 2 6 CRA shall communicate to clients the nature of the original CRA shall provide written policy procedure or other documentation CRA shall present written procedure for providing information to Information disclosed regarding consumer reporting products shall include Based on further consideration beta test feedback and or legal review the BSCC source limitations variables affecting the information available describing how when clients are provided with information that clients that accurately describes consumer reporting products butis not limi
49. minimum of 128 SSL 6 if transmitted via Internet data shall be encrypted or protected in a comparable manner documentation describing the requirement to and method used to secure and protect consumer information when such information is being transmitted to and returned by public record researchers CRA shall maintain auditing procedures for quality assurance in regard to their active public record researchers CRA shall provide written policy procedure or other written CRA shall present written documentation for auditing public record documentation describing the requirement to and method used to researchers CRA shall make available the person responsible for audit public record researchers in order to actively monitor quality of such audits and auditor may ask to see but not retain copy of audit researcher work results for one or more public record researchers Audit procedures for public record researchers may include but are not limited to 1 an established protocol for auditing researchers 2 sending research requests where resultis already known 3 how returned results are compared to expected results and 4 process for dealing with researcher errors up to and including termination of services Itis recommended that test cases be entered in a log with results that may include A date of test B unique identifier such as order number or subject name plus last four digits of SSN C results returned D whether results w
50. n paper documents containing personally identifiable information particularly name date of birth and SSN if retained at individual desks workstations shall be destroyed or inaccessible no later ithan the end of each work dav CRA shall have procedures in place for handling and documenting a consumer dispute that comply with the federal FCRA CRA shall provide written policy procedure or other documentation which instructs CRA employees on consumer dispute procedures CRA employees responsible for consumer disputes shall demonstrate knowledge of proper consumer dispute procedures and be able to access current copy of documentation Auditor may request to see a redacted copy of dispute documentation The policies and procedures designed to handle consumer disputes must meet FCRA requirements which include but are not limited to 1 no charge to consumer 2 re investigate correct and or delete disputed information within 30 days or 45 days if extended of notice of dispute 3 notify information provider of dispute within 5 days of receipt 4 consider information provided by consumer 5 advise consumer if dispute is deemed frivolous or irrelevant 6 notify appropriate parties of dispute results and 7 comply with consumer request for description of re investigation process In addition CRA should document 1 responsibility of CRA employee receiving consumer dispute 2 how incoming consumer dispute le
51. n the NAPBS website or is it sufficient to include an acknowledgment in the agreement that the provider will comply with the NAPBS Provider Guidelines FEBRUARY 16 2009 NAPBS CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA PAGE 5 OF 11 BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM Standard with Audit Criteria Public Comment and BSCC Response Measure amp Documentation Typically Subject to Desk Audit Attributes of and Suggestions for Onsite Audit What auditor should look for in policy procedure activity Clause Potential Verification for Onsite Audit Public Comment Period Feedback CRA shall require public record researcher to certify in writing that CRA shall provide written policy procedure or other written they will conduct research in compliance with all applicable local documentation describing how when where the signed certification state and federal laws as well as in the manner prescribed by the is obtained from and retained for all current public record jurisdiction which maintains the official record of the court never researchers CRA shall also provide copy of current certification obtain information through illegal or unethical means and utilize Note This certification may be incorporated in or an appendix to document disposal and or destruction methods pursuantto the the Public Record Researcher Agreement described in Clause federal FCRA 4 1 CRA shall present written procedure for obtaining signed ce
52. nge Based on further consideration beta test feedback and or legal review the BSCC has rewritten the Clause and Measure for clarification ee The BSCC believes that any file disclosure within the employment screening context can represent significant risk to the consumer The Clause has been rewritten for style however continues to provide the appropriate level of due diligence for the employment screening environment FEBRUARY 16 2009 NAPBS CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA PAGE 9 OF 11 BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM Standard with Audit Criteria Public Comment and BSCC Response Clause Measure amp Documentation Typically Subject to Desk Audit CRA shall have a written record retention and destruction policy CRA shall provide written policy procedure or other written pursuant to the federal FCRA CRA shall require all workers to certify they will adhere to the confidentiality security and legal compliance practices of the CRA CRA shall provide training to all workers on confidentiality security and legal compliance practices of the CRA CRA shall utilize a visitor security program to ensure visitors do not have access to consumer information documentation describing CRA s record retention and destruction practices CRA shall provide written policy procedure or other written documentation describing how when CRA obtains from all employees a cer
53. ormat CRA shall provide written policy procedure or other documentation explaining how access to areas of CRA facilities containing consumer information is controlled describing the physical security measures in place Auditor may interview CRA staff about physical security procedures CRA shall provide a copy of the Consumer Information P rivacy Policy along with the address of the policy on the CRA s website if CRA has website and an explanation of other means by which privacy policy is communicated CRA employees shall be able to access current copy P rivacy Policy and describe process by which privacy policy may be communicated externally Process procedure should include some or all of butis not limited to the following 1 procedures for granting levels of access to CRA personnel e g assignment of keys or security system passcodes 2 procedures for authorizing and monitoring guests including the auditor to the facility and 3 control of access by staff contingent workers vendors etc The policy should include some or all of but is not limited to the following the purpose of the collection of consumer information the intended use and how the information will be shared stored and destroyed The CRA shall post this policy on its website if ithas one and will make said policy available to clients and or consumers upon request utilizing at least one other method CRA shall
54. ormation CRA Shall require a signed agreement from all providers of outsourced verification services The agreement shall clearly outline the scope of services to be provided verification of services is obtained from and retained for all current outsourced _ are retained CRA shall make available the person responsible for methodology documentation of verification efforts disclosure of verification service providers CRA shall also provide copy of findings time frame for communication and completion of current agreement If CRA does not utilize stored data CRA shall but not retain a copy of signed agreements from one or more requests confidentiality requirements reinvestigation provide written affirmation to that effect outsourced verification service providers If interviewed CRA requirements and other obligations as furnishers of information employees responsible for working with these providers shall under the federal FCRA demonstrate understanding of requirement for signed agreement prior to utilizing services of provider OR technology shall prevent utilization of provider by CRA employees until CRA CRA Leader has enabled use CRA shall provide written policy procedure or other written Should CRA receive information from the verification source CRA shall provide written policy procedure or other documentation CRA employees responsible for reporting conflicting data as subsequent to the delivery of the consumer report and as
55. ormation AND OR the person responsible for CRA s consumer reporting shall he redacted nroducts CRA shall inform client that there are legal requirements imposed CRA shall provide written policy procedure or other documentation CRA shall present written procedure for informing client that there are CRA may inform client that there are legal requirements regarding adverse 3 4 Before doing business with a client client is certifying adherence to the FCRA why is it being stated The BSCC feels that the industry CRA and end users faces enormous exposure by the federal FCRA and in some instances state consumer describing how when clients are informed that there are legal legal requirements regarding adverse action and advising clientto action as part of a Client agreement User agreement or through some other they should consult their legal counsel prior to taking adverse action when the end users do not follow the proper adverse action procedures therefore is reporting laws regarding taking adverse action against a requirements imposed by the federal FCRA and in some instances consult with legal counsel CRA shall make available the document s_ document which is signed by the client and includes client acknowledgement requiring the CRA to identify this as a stand alone issue The entire Clause has consumer based on a consumer report CRA shall recommend state consumer reporting laws regarding taking adverse action used to so inform client
56. orts to clients CRA shall obtaina CRA shall provide written policy procedure or other written CRA shall present written procedure for obtaining signed agreement The agreement must meet requirements of FCRA which currently include 1 Clause 2 7 Why is including permissible purpose disclosure and authorization state or federal EEOC The BSCC has rewritten the clause to eliminate references to specific laws other signed agreement from client referred to as user in federal documentation describing when and how clients sign required copy of agreement document and demonstrate where how signed permissible purpose 2 disclosure and authorization 3 adverse action 4 compliance and adverse action being added This should be deleted CRAs should only have to get than the FCRA The Oonsite Audit section has also been rewritten to include a FCRA in which client agrees to meet the requirements of the agreement in which client agrees to comply with applicable state agreements are retained CRA shall make available the person confidentiality 5 compliance with all applicable laws and regulations and 6 certification that clients agree to meet the requirements of the federal FCRA grandfather clause for client agreements signed prior to the CRA s application date federal FCRA and applicable state and federal laws and federal laws specifically including the requirements within the responsible for retaining these agreements and auditor may ask to th
57. prior to the CRA s record s 8 confidentiality requirements 9 reinvestigation requirements and signed prior to the CRA s application date for accreditation confirming identity of subject of record s confidentiality application date for Accreditation need not be in full conformance with 10 the requirement for public record researcher to obtain a similar agreement 4 1 amp 4 3 Researcher agreement If we understand the position taken by the committee please correct us if requirements and reinvestigation requirements this clause until such time the CRA undergoes the interim surveillance audit before the end of the 3rd year of the Accreditation so as to provide the CRA time to update all researcher agreements If interviewed CRA employees responsible for working with public record researchers shall demonstrate understanding of requirement for signed agreement prior to utilizing services of public record researcher OR technology shall prevent utilization of public record researcher by CRA employees until CRA Leader has enabled use CRA shall have procedures in place to vet or qualify new public CRA shall provide written policy procedure or other written CRA shall present written procedure for vetting new public record record researchers documentation describing the requirement to and methodology researchers and demonstrate where how vetting results are retained used to vet or qualify new public record researchers CRA shall make available t
58. r information shall be able to explain and demonstrate procedures for protecting consumer information in their posession whether such information is used internally and or externally and be able to access current documentation CRA will also be able to demonstrate electronic and physical protection of consumer information The policies and procedures designed to protect consumer information may include some or all of the following but are not limited to 1 securing unattended workstations 2 limited access to networks data and work areas 3 limiting consumer information provided to information sources to only that information which is needed to conducta search 4 destruction of hard copy documents 5 identification of caller before providing consumer information 6 employee badging or other identification system 7 unescorted visitor policy 8 secure document destruction 9 secure transport of information 10 use of encryption and or secure networks and or websites 11 password assignment and replacement 12 controlling use of portable storage devices 13 alarm systems 14 door locks and 15 secure server and back up sites CRA shall have procedures in place to detect investigate and respond to an information system intrusion including consumer notification where warranted CRA shall provide procedures for detecting and identifying information system intrusions unauthorized access to computer _syst
59. r informing client of client s nature of consumer reports 2 the need to protect such describing how when clients are provided with information regarding legal responsibilities regarding protection of consumer data CRA information and 3 the consumer report retention and destruction importance of and legal requirement to protect consumer data shall make available the documents used to so inform clients the practices as outlined in the federal FCRA and the DPPA presented in consumer reports CRA shall provide copy of person responsible for retaining signed acknowledgments and document s used to so inform client auditor may ask to see but not retain a copy of signed acknowledgments from one or more clients If interviewed CRA employees shall demonstrate knowledge of client s requirement to protect consumer data be able to access current copy of documentation AND OR CRA employees shall identify person s to Attributes of and Suggestions for Onsite Audit What auditor should look for in policy procedure activity Public Comment Period Fesdback BSCC Response CRA shall inform clients that CRA does not function as legal counsel as part 3 5 a whole section on Legal Counsel are we pushing attorney fees How is this communication going to Due to the extreme exposure to end users the BSCC feels it is critical to ofa Client agreement User agreement or through some other document be certified More paperwork Delete 3 5 communicate to end users
60. reasonably ensure the accuracy and quality of all work product CRA shall make available to auditor tools or systems used except actual personally identifiable information to reasonably ensure accuracy and quality in all work product If interviewed CRA employees responsible for work product shall demonstrate knowledge of accuracy and quality requirements describe methods used to ensure quality and accuracy shall be able to access current copy of documentation and shall identify person s responsible for providing on the job quality and accuracy leadershin documentation which identifies by name and or title the person responsible for accreditation activity and on going compliance CRA shall make this person available either in person by phone OR shall provide a signed affadavit or similar document in which the person has affirmed their responsibility for accreditation activity and on going compliance within the organization and that s he is qualified to hold such responsibility If interviewed CRA employees shall identify the person s who can provide accreditation expertise when needed NAPBS CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA Attributes of and Suggestions for Onsite Audit What auditor should look for in policy procedure activity CRA s should retain records to comply with the limitation of liability action per the FCRA which is currently not later than the earlier of 1 2 years after the date of
61. responsible for what type of work experience qualifies responsibility for courtjurisdictional knowledge within the organization courtjurisdictional knowledge within the organization and that s he is qualified to hold such responsibility knowledge as well as identifying resources for additional information If interviewed CRA employees shall identify the person s who can provide court jurisdictional expertise when needed CRA shall provide qualifications of Court urisdictional Knowledge CRA shall provide evidence of qualifications by presenting resume CRA Leader educational credentials experience and or other documentation Verification Service Standards CRA shall maintain reasonable procedures to assure maximum CRA shall provide written policy procedure or other documentation CRA shall make available to auditor tools or systems used except possible accuracy when obtaining recording and reporting used to reasonably ensure accuracy and thoroughness in the actual personally identifiable information to reasonably ensure verification information verification process verification accuracy If interviewed CRA employees responsible for verification accuracy shall demonstrate knowledge of accuracy ICRA may provide information regarding verification accuracy to employees N A who are responsible for such accuracy by using various methods which may FCRA include butare not limited to
62. rmation of 1 full name 2 date of birth 3 street address used on application or authorization document 4 last four digits of SSN and 5 driver s license number Public Comment Period Feedback 5 10 uses an undefined term professional manner to outline its requirements The Measure provides no guidance on this definition Clause 5 11 do not like the word confirm itis very strong Determine would be a better choice of words 6 5 This rule does not use the language and specific guidance of FTC regulations 16 CFR 614 1 The guidance of the FTC indicates that with respect to authenticating consumers in the file disclosure process as well as in disclosing consumer information generally the CRA is to follow whatis essentially a risk based approach By outlining a rigid and uniform approach to authentication the Standard creates new different and unexpected legal requirements BSCC Response The BSCC has inserted the wording engaged in verification work on procedures to further clarify the Clause Additionally the BSCC does not feel itnecessary to define the term professional manner within the Measure but instead would offer as reference Merriam Webster s Online Dictionary definition of professional which states in part exhibiting a courteous conscientious and generally businesslike manner in the workplace The BSCC has taken the comment into consideration and has made no cha
63. rt to provide assistance when needed If classroom or on the job training is used a training outline or manual may be used The person responsible for overall accreditation shall affirm his her role as being responsible for accreditation certification activity and on going compliance within the organization and that s he is qualified to hold such responsibility Public Comment Period Feedback BSCC Response PAGE 10 OF 11 BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM Standard with Audit Criteria Public Comment and BSCC Response Clause Measure amp Documentation Potential Verification for Onsite Audit Attributes of and Suggestions for Onsite Audit Typically Subject to Desk Audit What auditor should look for in policy procedure activity Puel comment Retled Leecuace PSCC Response FEBRUARY 16 2009 NAPBS CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA PAGE 11 OF 11 104 12 8 666667
64. rtable and or removeable electronic storage devices CRA shall employ or retain a minimum of one person who is responsible for CRA s overall information security program This wi be evidenced by written job description policy procedure or other documentation If various people are responsible for different aspects of the program one person shall hold overall responsibility as evidenced by job description organizational chart or other documentation CRA shall present written job description policy procedure or other documentation which identifies by name and or title the person responsible for the overall information security program CRA shall make available documentation which clearly identifies person by name and title who is responsible for overall information security program CRA shall have procedures in place to protect consumer information under the control of the CRA from internal and external unauthorized access These procedures shall include specifications for the securing of information in both hard copy and electronic form including information stored on portable and or removable electronic devices CRA shall provide written procedures in place to protect consumer information from unauthorized electronic and or physical access This includes the collection use storage and destruction of consumer information in both paper and electronic form CRA employees dealing with consume
65. rtain points with each vendor we use The time frame in which that agreement is executed is undefined Concern 1 First understand these standards will set the pace in our industry and raise the bar for certain vendors However it may take time for these requirements to take effect feel like there is some middle ground on this subject Concern 2 Hypothetical situation Vendor performs work doesn t sign the working agreement that accompanied the search request CRA takes reasonable and beyond reasonable steps doesn t pay bill etc to obtain a signed copy of the agreement Vendor doesn t comply guess to the letter of the law there is no time line requirement for obtaining an agreement so the CRA remains in accreditation compliance If so whatis the point of auditing for signed agreements If that is not true it needs to clearly state that It would be nice if this was further defined The vetting records may include but are not limited to 1 evidence of right to 4 2 On the CRA Accreditation Standard with Audit Criteria Attributes of and Suggestions of Onsite Audit The BSCC has changed the term should to may in the Attributes of and conduct business such as copy of business license articles of incorporation What auditor should look for in policy procedure activity section it states that CRAs shall have procedures in Suggestions for Onsite Audit criteria so CRA is not restricted in their methodology state filing etc
66. rtification The Certification in which the Public Record Researcher agrees must include see Public Comments from Clause 4 1 above copy of certification and demonstrate where how signed certifications butis not limited to the following 1 to comply with all applicable local state are retained CRA shall make available the person responsible for and federal laws as well as in the manner prescribed by the jurisdiction which retaining these certifications and auditor may ask to see but not maintains the official record of the court 2 to obtain information only through retain a copy of signed certifications from one or more public record legal and ethical means and 3 to dispose of or destroy confidential researchers Note This certification may be part of the Public documents in a secure manner per FTC document destruction rule Note Record Researcher Agreement described in Clause 4 1 This certification may be part of the Public Record Researcher Agreement Certifications executed prior to the CRA s application date for described in Clause 4 1 Accreditation need not be in full conformance with this clause until such time the CRA undergoes the interim surveillance audit before the end of the 3rd year of the Accreditation so as to provide the CRA time to update all researcher certifications If interviewed CRA employees responsible for working with public record researchers shall demonstrate understanding of certific
67. s the person responsible for retaining signed Per the FCRA client s current legal responsibilities regarding adverse action been rewritten to clarify that the CRA is not recommending the end user seek to client that they consult with counsel to develop a legally against a consumer based on a consumer report CRA shallalso acknowledgments and auditor may ask to see but not retain a copy mustinclude 1 providing preliminary adverse action notice to consumer counsel prior to each adverse action but simply to seek counsel to develop a legally compliant adverse action policy provide copy of document used to recommend to client thatthey of signed acknowledgments from one or more clients If interviewed along with copy of consumer report and A Summary of Y our Rights Under the compliant adverse action policy The BSCC has also changed the word Advise to consult with counsel to develop a legally compliant adverse action CRA employees shall demonstrate knowledge of client s requirement Fair Credit Reporting Act 2 allowing consumer a designated period of time Inform in the Clause so as not to be construed as providing legal advice policy to follow adverse action processes be able to access current copy of to contact CRA if consumer wishes to dispute any information in consumer documentation AND OR CRA employees shall identify person s to report 3 providing CRA contact information 4 providing a final adverse address such topics action notice to con
68. se Based on further consideration beta test feedback and or legal review the BSCC changed the Clause to read FTC regulations as opposed to FTC guidelines Based on further consideration beta test feedback and or legal review the BSCC has changed the Clause to read that comply with as opposed to as required by The BSCC has deleted and industry practice from the Clause The definition of whatis considered sensitive varies by state law and is subject to change The CRA is expected to be familiar with and comply with all laws in this area The BSCC has changed B in the Clause to Send notice to the consumer at the time information is reported This was also changed in the Desk Audit section This change was made to make Clause consistent with the language of the FCRA FEBRUARY 16 2009 NAPBS CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA PAGE 2 OF 11 BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM Standard with Audit Criteria Public Comment and BSCC Clause Response Measure amp Documentation Typically Subject to Desk Audit Potential Verification for Onsite Audit Attributes of and Suggestions for Onsite Audit What auditor should look for in policy procedure activity The CRA shall designate an individual s or position s within the CRA shall employ a minimum of one person who is responsible for CRA shall present written job description policy procedure or other Compliance CRA Lea
69. se who are maintaining such databases by building them person s responsible for accuracy of stored data AND OR utilize used to reasonably ensure accuracy of stored data include but are not limited through furnishers need more guidance on whatis acceptable under the Standard for including information in technology to control the addition or deletion of information in the to criteria for inclusion into the database criteria for redaction from the Jits database in a manner that ensures accuracy The current Measures for 5 5 indicate that the CRA will database s database criteria for correcting inaccuracies and handling consumer likely have significant technological systems and procedures in place for ensuring accuracy for the disputes inclusion of such data in its database This language lends itself to very vague requirements This puts those compiling such data at risk in the accreditation process as there would be little to judge any appeal by should a denial of accreditation result from failure to meet this part of the Standard Perhaps some additional examples of what might be considered significant systems would clarify what the auditor will be assessing e S u CRA may provide information regarding use of stored adverse data to employees who are responsible for using such data by using various methods CRA shall make available to auditor tools or systems us
70. shall provide written policy procedure or other documentation explaining how access rights to consumer information are controlled administered and limited CRA should demonstrate that password is required for sign on and also demonstrate procedure for changing password Required password should be a minimum of six 6 characters preferably using both alpha and numeric characters Records of password issuance should be securely maintained A biometric solution would also be acceptable CRA shall make available the individual responsible for controlling access to consumer information This individual shall be able to describe and or provide documentation and or provide a demonstration related to access control If questioned CRA employees who receive such requests will demonstrate knowledge of process if change in access rights is to be requested Process should include some or all of butis not limited to 1 how users apply for and receive access 2 authorization needed for access 3 access parameters 4 password issuance replacement expiration 5 monitoring tools and 6 recordkeeping Public Comment Period Feedback BSCC Response Based on further consideration beta test feedback and or legal review the BSCC has removed qualified from the Clause as well as corresponding desk and onsite audit criteria 1 2 does not make clear that hard copy documents with consumer information must be protected on
71. since itis in reference to understanding the law The Measures for this section do not appear to give guidance on what would constitute someone as qualified for these compliance roles Clause 2 3 The word demonstrating is being use How is demonstrating going to be defined The word thorough is being use Through can be define an perfect masterful etc do not like that word 2 4 reference qualified individuals This term is not sufficiently defined by the Standard Does it mean a lawyer is required since itis in reference to understanding the law The Measures for this section do not appear to give guidance on what would constitute someone as qualified for these compliance roles Clause 2 4 The word demonstrating is being use How is demonstrating going to be defined The word thorough is being use Through can be define an perfect masterful etc do not like that word The BSCC made changes similar to Section 2 1 The BSCC made changes similar to Section 2 1 CRA shall not engage in bribery or any other fraudulent activity to obtain preferential treatment from a public official CRA shall provide written policy procedure or other written documentation such as an employee handbook clearly forbidding bribery or any other fraudulent activity to obtain preferential treatment from a public official CRA shall make available to auditor one or more documents which clear
72. sumer if a final adverse employment decision is made FEBRUARY 16 2009 NAPBS CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA PAGE 4 OF 11 BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM Standard with Audit Criteria Public Comment and BSCC Response Measure amp Documentation i iadi A r Clause Typically Subject to Desk Audit Potential Verification for Onsite Audit CRA shall communicate to client that they are not acting as legal CRA shall provide written policy procedure or other documentation CRA shall present written procedure for informing client that CRA counsel and cannot provide legal advice CRA shall describing how when clients are informed that CRA is notacting as does not provide legal advice or actas client s legal counsel CRA communicate to client the importance of working with counsel to _ legal counsel and cannot provide legal advice CRA shall provide _ shall make available the document s used to so inform clients the develop an employment screening program specific to their copy of document used to so inform client and such document shall person responsible for retaining signed acknowledgments and needs CRA shall also communicate to client the necessity to include advising client to work with legal counsel regarding client s auditor may ask to see but not retain a copy of signed work with counsel to ensure that client s policies and procedures _ specific screening program policies procedures to ensure legal acknowledg
73. ta protection responsibilities Per the FCRA current requirements include 1 limiting dissemination of consumer information to only those with legitimate need permissible purpose and authorizated by consumer 2 retaining consumer data in a confidential manner and 3 destroying data in a secure manner as specified in Clause 1 10 Per the DPPA current requirements include address such topics protecting the privacy of consumer information which is contained in motor vehicle records and accessing DMV records only with written consent of consumer Researcher and Data Standards 4 1 Public Record Researcher Agreement CRA shall require a signed agreement from all non employee CRA shall provide written policy procedure or other written CRA shall present written procedure for obtaining signed agreement The agreement should include but is not limited to 1 the requirement to Definition 8 of Public Record Researcher is most troubling As currently defined and used in Section 4 1 for The BSCC has removed the word utilized and replaced with non employee to public record researchers The agreement shall clearly outline documentation describing how a signed agreement covering scope copy of agreement and demonstrate where how signed agreements conduct all searches in full compliance with applicable law and regulation 2 example it converts many of NAPBS s members simultaneously into furnishers and CRAs potentially identify a public record
74. ted Public Comment Period Feedback 1 12 dictating the masking of sensitive data does not reflect which data elements are sensitive The state definitions of personal information should be emulated at this point as there is no federal breach law yet Moreover industry standard is a nebulous concept and referencing it in what is supposed to state the industry standard creates unnecessary ambiguity 1 13 regarding CRAs FCRA compliance when reporting public record data should use the exact language of section 613 of the FCRA Section 613 does not use the word contemporaneous It uses the phrase at the time Moreover by using contemporaneous as an adjective instead of an adverb in both the Standard and the Measures the organization could be deemed to be taking a position as to the manner of delivery of the notice that is inconsistent with current FTC guidance The FTC opined in 1990 when reports were already and had for some time been being delivered to clients electronically that the consumer notice requirements of section 613 could be met by use of first class mail Such system clearly does not contemplate that compliance with 613 requires that notice be accomplished at the time the report is delivered rather it contemplates that notice will be sent promptly to the consumer BSCC Response Based on further consideration beta test feedback and or legal review the BSCC has added of CRA facilities to the Clau
75. ted to 1 identification of information source s 2 type of source changed the Clause to eliminate the word clearly The term consumer reporting and scope of information provided by each consumer reporting describes the composition of each consumer reporting product including one or more samples of provided documents If consumer 3 scope of records searched 4 and search methodology Itis preferred that products was added to the Clause and corresponding desk and onsite audit criteria product offered by the CRA information source s used for each consumer reporting product reports are used to demonstrate full and accurate consumer reporting disclosure of information source type of source scope of search and search descriptions factors affecting the information and any parameters or conditions product disclosure all personally identified information shall be methodology be included in consumer reports Lacking such disclosure applied by the CRA when reporting to client CRA shall provide redacted and auditor will not retain copy If interviewed CRA reports should explain how user of consumer report may obtain such copy of documents used to so inform clients If CRA provides actual employees shall demonstrate knowledge that consumer reporting information consumer reports to demonstrate full and accurate consumer product descriptions exist where such descriptions are documented reporting product disclosure all personally identified inf
76. the authenticity of the conflicting information and its source 3 method used to update report and 4 method used to provide updated information to consumer and customer and 5 the form in which the update is provided PAGE 8 OF 11 BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM Standard with Audit Criteria Public Comment and BSCC Response Clause CRA shall train all employees engaged in verification work on procedures for completing verifications in a professional manner CRA shall provide written policy procedure or other documentation Measure amp Documentation Typically Subject to Desk Audit which instructs all CRA employees engaged in verification work on procedures for completing verifications in a professional manner Potential Verification for Onsite Audit CRA shall make available to auditor any materials used to train CRA employees engaged in verification work on professionalism when conducting verifications If interviewed CRA employees who conduct such verification work shall describe training which was received Attributes of and Suggestions for Onsite Audit What auditor should look for in policy procedure activity CRA may provide information to employees regarding professionalism when conducting verifications by using one or more methods which include but are Not limited to 1 written material 2 online training 3 training classes webinars 4 one on one training sessions and or 5 on
77. the job training If CRA is requesting verification by phone fax email or mail CRA shall have procedures in place to confirm that verification request is directed to an authorized recipient CRA shall provide written policy procedure or other documentation used to require that verification requests are directed to authorized recipients CRA shall present written procedure for confirming a verification requestis being sent to authorized individual If interviewed CRA employees responsible for processing verification requests shall demonstrate knowledge of proper authentication procedures and shall be able to access current copy of documentation Procedures used to ensure verification requests are sent to an authorized recipient may include but are not limited to 1 confirming method used by information source to provide verification information 2 confirming company institution name and address matches that provided by consumer and 3 obtaining name and title of person to whom request will be sent Miscellaneous Business Practices Owners officers principals and employees charged with the enforcement of company policy must consent to undergo a criminal records check and be found free of convictions for any crimes involving dishonesty fraud or moral turpitude CRA shall provide written policy procedure or other written documentation describing the requirement for and method used to conduct criminal history record che
78. thin the organization If interviewed CRA employees shall identify the person s who can provide FCRA expertise when needed CRA shall present written job description policy procedure or other documentation which identifies by name and or title the person responsible for state consumer reporting law compliance CRA shall make this person available either in person by phone OR shall provide a signed affadavit or similar document in which the person has affirmed their responsibility for state consumer reporting law compliance within the organization If interviewed CRA employees shall identify the person s who can provide state consumer reporting law expertise when needed CRA shall present written job description policy procedure or other documentation which identifies by name and or title the person responsible for DPPA compliance CRA shall make this person available either in person by phone OR shall provide a signed affadavit or similar document in which the person has affirmed their responsibility for DPPA law compliance within the organization If interviewed CRA employees shall identify the person s who can provide DPPA exnertise when needed CRA shall present written job description policy procedure or other documentation which identifies by name and or title the person responsible for state DPPA law compliance CRA shall make this person available either in person by phone OR shall provide a signed affadavit or similar doc
79. tification in which employee agrees to adhere to the CRA s confidentiality security and legal compliance practices and where such certifications are retained CRA shall provide written policy procedure or other documentation which describes the requirement for and methodology used to train CRA employees on the confidentialiy security and legal compliance procedures of the CRA CRA shall provide written policy procedure or other documentation which describes the visitor security program and how visitors are prevented from accessing consumer information CRA shall conduct a criminal records check on all employees with CRA shall provide written policy procedure or other documentation access to consumer information when such searches can be which describes the requirement for and methodology used to conducted without violating state or federal law These searches conduct criminal record checks every two years on all employees shall be conducted at least once every two years for the duration with access to consumer information when such criminal record of their employment Criminal offenses shall be evaluated to determine initial or continued employment based upon their access to consumer information and state and federal laws CRA shall have procedures in place to reasonably ensure the accuracy and quality of all work product CRA shall have on staff one person designated to oversee and CRA shall employ a minimum of one
80. tters emails phone calls should be routed upon receipt 3 re investigation responsibility and or procedures 4 process for updating correcting consumer report 5 recordkeeping and 6 procedure to help prevent future occurrences such as recommendation for training software change etc CRA shall have a procedure to suppress or truncate Social Security numbers and other sensitive data elements as required by law CRA shall provide written policy procedure or other documentation and limit exposure of SSN s and other sensitive data elements as required by law CRA employees shall demonstrate knowledge of proper procedures describing suppression truncation or other methods used to protect for use of SSN s and other sensitive data elements as required by law and CRA employees shall be able to access current documentation If interviewed CRA employees shall demonstrate understanding of proper use and protection of SSN s and other sensitive data elements as required by law AND if applicable the use of technology to protect SSN s and other sensitive data elements as required by law Documentation should include butis not limited to 1 No more than the final four digits of SSN s shall be communicated in any form outside CRA employees unless an approved exception exists 2 When use of SSN and other sensitive data elements as required by law is needed internally or externally the data exposed shall be limited to only that w
81. ument in which the person has affirmed their responsibility for state DPPA law compliance within the organization If interviewed CRA employees shall identify the person s who can provide state DPPA expertise when needed FCRA compliance within the organization Compliance CRA Leader shall affirm his her role as being responsible for state consumer reporting law compliance within the organization Public Comment Period Feedback 2 1 reference qualified individuals This term is not sufficiently defined by the Standard Does it mean a lawyer is required since itis in reference to understanding the law The Measures for this section do not appear to give guidance on what would constitute someone as qualified for these compliance roles Clause 2 1 How is qualified define Should itnot be certified CDIA has an FCRA Certification program Clause 2 1 The word demonstrating is being use How is demonstrating going to be defined The word thorough is being use Through can be define an perfect masterful etc do not like that word 2 2 reference qualified individuals This term is not sufficiently defined by the Standard Does it mean a lawyer is required since itis in reference to understanding the law The Measures for this section do not appear to give guidance on what would constitute someone as qualified for these compliance roles Clause 2 2 The word demonstrating
82. verify and related 5 7 We feel that this clause is overly broad the requirement overly burdensome and perhaps unnecessary to capture attempts to verify and related information Ifa manual information to employees who are responsible for data verification by using 1 Overly Broad Many verifications are electronic There are quite often multiple attempts for connection process CRA shall present written procedure for capturing such various methods which include but are not limited to 1 written manuals 2 and data transfer that are seamless in terms of use of the systems and results received There is no practical information If consumer reports are used to demonstrate captured online manuals or instructions 3 classroom training 4 on the job training need other than I T troubleshooting in some cases to maintain this information for this type of report In attempts and related information all personally identified information and or availability of expert to provide assistance when needed If classroom another area court Researchers often have to return to a courthouse after an hour or two due to breaks shall be redacted and auditor will not retain copy If interviewed CRA or on the job training is used a training outline or manual may be used lunches etc Again there is not practical need to document this 2 Overly Burdensome The cost and employees shall demonstrate knowledge that attempts to verify must Information regard
83. written job description or other documentation CRA shall employ a minimum of one person who is responsible for CRA s development implementation and on going compliance with all applicable state consumer reporting law as evidenced by written job description s or other documentation If multiple people are responsible one person shall hold CRA Leadership role and overall responsibility as evidenced by written job description or other documentation CRA shall employ a minimum of one person who is responsible for CRA s development implementation and on going compliance with all applicable DPPA law as evidenced by written job description s or other documentation If multiple people are responsible one person shall hold CRA Leadership role and overall responsibility as evidenced by written job description or other documentation CRA shall employ a minimum of one person who is responsible for CRA s development implementation and on going compliance with all applicable state DPPA laws as evidenced by written job description s or other documentation If multiple people are responsible one person shall hold CRA Leadership role and overall responsibility as evidenced by written job description or other documentation responsible for FCRA compliance CRA shall make this person available either in person by phone OR shall provide a signed affadavit or similar document in which the person has affirmed their responsibility for FCRA compliance wi
Download Pdf Manuals
Related Search