Standards with Audit Criteria
Contents
1. documentation which identifies by name and or title the person responsible for state consumer reporting law compliance CRA shall make this person available either in person by phone OR shall provide a signed affadavit or similar document in which the person has affirmed their responsibility for state consumer reporting law compliance within the organization If interviewed CRA employees shall identify the person s who can provide state consumer reporting lautavnartion uwihan nandad CRA shall present written job description policy procedure or other documentation which identifies by name and or title the person responsible for DPPA compliance CRA shall make this person available either in person by phone OR shall provide a signed affadavit or similar document in which the person has affirmed their responsibility for DPPA law compliance within the organization If interviewed CRA employees shall identify the person s who can nraviida DPPA avnartica whan naadad CRA shall present written job description policy procedure or other documentation which identifies by name and or title the person responsible for state DPPA law compliance CRA shall make this person available either in person by phone OR shall provide a signed affadavit or similar document in which the person has affirmed their responsibility for state DPPA law compliance within the organization If interviewed CRA employees shall identify the person s who can provide2. CRA shall provide client all federal FCRA required FTC CRA shall provide written policy procedure or other written prescribed documents which the federal FCRA mandates be documentation describing when how clients are provided with provided to client by the CRA copies of required FTC publications 2 7 Agreement from Client Before providing consumer reports to clients CRA shall obtain a CRA shall provide written policy procedure or other written signed agreement from client referred to as user in federal documentation describing when and how clients sign required FCRA in which client agrees to meet the requirements of the agreement in which client agrees to comply with applicable state federal FCRA and applicable state and federal laws and federal laws specifically including the requirements within the FCRA and where such agreements are retained CRA shall also provide copy of agreement document Client Education 3 1 Client Legal Responsibilities CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA Attributes of and Suggestions for Onsite Audit Potential veringation Tor Onsite Audit What auditor should look for in policy procedure activity CRA shall make available to auditor one or more documents which CRA may provide required notices as part of a Client agreement User provide evidence that CRA has provided prescribed documents to agreement or some other document which is signed by the client and client CRA shall make availa
3. current requirements include protecting the privacy of consumer information which is contained in motor vehicle records and accessing DMV records only with written consent of The agreement should include but is not limited to 1 the requirement to conduct all searches in full compliance with applicable law and regulation 2 jurisdictions covered 3 search methodology 4 depth of search 5 disclosure of findings 6 methodology and time frame for communication and completion of requests 7 methodology for confirming identity of subject of record s 8 confidentiality requirements 9 reinvestigation requirements and 10 the requirement for public record researcher to obtain a similar agreement from subcontractors if subcontractors are used In particular the agreement should emphasize confidentiality requirements including A the legal requirement to treat all consumer information as confidential B secure data transmission and C secure and timely disposal of confidential information Note This agreement may incorporate the Certification requirement of Clause 4 3 PAGE 9 OF 19 NAPBS BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM Clause CRA shall have procedures in place to vet or qualify new public record researchers 4 3 Public Record Researcher Certification CRA shall require public record researcher to certify in writing that they will conduct research in compliance with all applicable Measure amp Documentati
4. depth of search disclosure of findings methodology and time frame for communication and completion of requests methodology for confirming identity of subject of record s confidentiality requirements and reinvestigation requirements 4 2 Vetting Requirement 3 11 2013 presented in consumer reports CRA shall provide copy of document s used to so inform client may ask to see but not retain a copy of signed acknowledgments from one or more clients If interviewed CRA employees shall demonstrate knowledge of client s requirement to protect consumer CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA Attributes of and Suggestions for Onsite Audit What auditor should look for in policy procedure activity CRA shall inform clients of client s legal requirements regarding protection of consumer data as part of a Client agreement User agreement or through some other document which is signed by the client and includes but is not person responsible for retaining signed acknowledgments and auditor limited to client acknowledgement of consumer data protection responsibilities Per the FCRA current requirements include 1 limiting dissemination of consumer information to only those with legitimate need permissible purpose and authorizated by consumer 2 retaining consumer data be able to access current copy of documentation AND OR CRA data in a confidential manner and 3 destroying data in a secure manner as employees shall
5. to vendor CRA shall provide written policy procedure or other written documentation describing how when consumer authentication identification occurs prior to disclosing consumer information and where record of such authentication is kept CRA shall provide written policy procedure or other written documentation describing CRA s record retention and destruction practices CRA shall provide written policy procedure or other written documentation describing how when CRA obtains from all employees a certification in which employee agrees to adhere to the CRA s confidentiality security and legal compliance practices and where such certifications are retained CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA Potential Verification for Onsite Audit CRA shall present written procedure for athenticating new vendors and demonstrate where how authentication results are retained CRA shall make available the person responsible for such authentication and if interviewed this person shall demonstrate understanding of authentication requirements Auditor may ask to see but not retain a copy of authentication records from one or more vendor companies CRA shall present written procedure for confirming consumer s identify prior to providing any consumer information to such person Auditor may ask to see demonstration of consumer identifcation how CRA representative confirms identify of consumer and where record of authenthica
6. 2 to obtain information only retain a copy of signed certifications from one or more public record through legal and ethical means and 3 to dispose of or destroy confidential researchers Note This certification may be part of the Public documents in a secure manner per FTC document destruction rule Note Record Researcher Agreement described in Clause 4 1 This certification may be part of the Public Record Researcher Agreement Certifications executed prior to the CRA s application date for described in Clause 4 1 Accreditation need not be in full conformance with this clause until such time the CRA undergoes the interim surveillance audit before the end of the 3rd year of the Accreditation so as to provide the CRA time to update all researcher certifications If interviewed CRA employees responsible for working with public record researchers shall demonstrate understanding of certification requirement prior to utilizing services of public record researcher OR technology shall prevent utilization of public record researcher by CRA employees until NAPBS CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA PAGE 10 OF 19 NAPBS BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM Clause CRA shall obtain proof of public record researcher s Errors and Omissions Insurance If public record researcher is unable to provide proof of insurance CRA shall maintain coverage for uninsured and or underinsured public record researcher 4 5 Inform
7. CRA s database is re verified prior to such information being if required by state or local law by state or local law If CRA does not utilize stored data CRA included in a new consumer report If interviewed CRA employees shall provide written affirmation to that effect 5 7 Documentation of Verification Attempts CRA shall have procedures in place to document all verification CRA shall present written policy procedure or other written responsible for use of such data shall demonstrate knowledge of 3 month re verification requirement and describe methodology used to ensure compliance CRA employees responsible for use of stored data shall be able to access current copy of documentation shall identify person s responsible for use of stored data AND OR technology shall prevent utilization of stored adverse data which is older than 90 days attempts made and the result of each attempt in completing all documentation used to ensure that all attempts made to verify to capture attempts to verify and related information If a manual verification services information are fully documented 3 11 2013 process CRA shall present written procedure for capturing such information If consumer reports are used to demonstrate captured attempts and related information all personally identified information shall be redacted and auditor will not retain copy If interviewed CRA employees shall demonstrate knowledge that attempts to veri
8. access demonstration related to access control If questioned CRA necessary to perform their required functions Access rights shall employees who receive such requests will demonstrate knowledge of be updated based on personnel or system changes process if change in access rights is to be requested 1 7 Physical Security CRA shall have procedures in place to control physical access to CRA shall provide written policy procedure or other documentation CRA shall provide auditor a tour of the facility demonstrating and all areas of CRA facilities that contain consumer information explaining how access to areas of CRA facilities containing describing the physical security measures in place Auditor may consumer information is controlled interview CRA staff about physical security procedures 1 8 Consumer Information Privacy Policy 3 11 2013 NAPBS CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA Attributes of and Suggestions for Onsite Audit What auditor should look for in policy procedure activity Process procedure should include some or all of but is not limited to 1 individual to contact in case of intrusion and his her back ups 2 necessity of immediately stopping intrusion activity if still occurring 3 determination of notification requirements 4 preparing notification 5 obtaining necessary approvals of notification language 6 communicating notification and 7 de hrief ta_nrevent future accurrences The process used to bac
9. documentation If multiple people are shall make this person available either in person by phone OR shall responsibility attendant to this task and shall be the CRA contact for the responsible one person shall hold overall responsibility as provide a signed affadavit or similar document in which the person auditor and accreditation related matters for NAPBS evidenced by written job description or other documentation has affirmed their responsibility for accreditation activity and on going compliance within the organization and that s he is qualified to hold such responsibility If interviewed CRA employees shall identify the person s who can provide accreditation expertise when needed Miscellaneous Notes Concepts of Opportunity for Improvement OFI and Controlled Document 3 11 2013 NAPBS CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA PAGE 19 OF 19
10. expertise when needed NAPBS CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA PAGE 4 OF 19 NAPBS BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM Clause Measure amp Documentation Typically Subject to Desk Audit CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA Potential Verification for Onsite Audit The CRA shall designate an individual s or position s within the CRA shall employ a minimum of one person who is responsible for CRA shall present written job description policy procedure or other organization responsible for compliance with all state consumer reporting laws that pertain to the consumer reports provided by the CRA for employment purposes 2 3 Driver Privacy Protection Act DPPA The CRA shall designate an individual s or position s within the organization responsible for compliance with the DPPA that pertain to the consumer reports provided by the CRA for employment purposes if the CRA furnishes consumer reports that contain information subject to the DPPA 2 4 State Implemented DPPA Compliance If the CRA furnishes consumer reports that contain information subject to the DPPA implementing statutes in a particular state s the CRA shall designate an individual s or position s within the organization responsible for compliance with state implementations of the DPPA that pertain to the products and services provided by the CRA for employment purposes 2 5 Integrity CRA shall not engage in bribery or any o
11. from diplomas mills and advising client shall demonstrate knowledge of diploma mills and describe methodology by which they learn about such diplomas mills and how to advise clients CRA employees responsible for verification of academic credentials and advising clients shall be able to access current copy of documentation AND OR CRA employees shall identify person s responsible for such activity CRA shall make available to auditor tools or systems used to disclose to client general practices regarding verification practices including attempts to verify fees question formats etc CRA shall present written procedure for providing information to clients that accurately describes products including one or more samples of provided documents If consumer reports are used to demonstrate full and accurate procedural disclosure all personally identified information shall be redacted and auditor will not retain copy If interviewed CRA employees shall demonstrate knowledge that procedural requirements exist where such requirements are danumantad ANINDAN than narnan nnanannihla far CD Aa nendiinta NAPBS CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA Attributes of and Suggestions for Onsite Audit What auditor should look for in policy procedure activity CRA may provide information regarding verification of current employment to employees who are responsible for such verification by using various methods which may include but are
12. institution and advise client of findings when the institution is a known or suspected diploma mill CRA shall present written policy procedure client education material or other written documentation methodology used to provide full disclosure to a client about general business practices regarding number of attempts to verify information what constitutes an attempt locate fees fees charged by the employer or service provider and standard question formats prior to providing such services CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA Potential Verification for Onsite Audit CRA shall make available to auditor tools or systems used except actual personally identifiable information to reasonably ensure current employer is not directly contacted without explicit authorization by the consumer and or client If interviewed CRA employees responsible for verification of current employment shall demonstrate knowledge of authorization requirement and describe methodology by which they learn about such requirement CRA employees responsible for current employer contact shall be able to access current copy of documentation AND OR CRA employees shall identify person s responsible for such contact CRA shall make available to auditor tools or systems used to reasonably ensure identification of diploma mills and to advise client when applicable If interviewed CRA employees responsible for verification of academic credentials received
13. provide information to clients regarding how to order retrieve read and understanding consumer reports by using one or more methods which include but are not limited to 1 user manual guide 2 online training user guides or help system 3 user training classes webinars 4 one on one training sessions or 5 verbal assistance PAGE 8 OF 19 NAPBS BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM Clause Measure amp Documentation Typically Subject to Desk Audit Potential Verification for Onsite Audit CRA shall provide information to client regarding 1 the sensitive CRA shall provide written policy procedure or other documentation CRA shall present written procedure for informing client of client s describing how when clients are provided with information regarding legal responsibilities regarding protection of consumer data CRA importance of and legal requirement to protect consumer data shall make available the document s used to so inform clients the nature of consumer reports 2 the need to protect such information and 3 the consumer report retention and destruction practices as outlined in the federal FCRA and the DPPA Researcher and Data Standards 4 1 Public Record Researcher Agreement CRA shall require a signed agreement from all non employee public record researchers The agreement shall clearly outline the scope of services agreed to by CRA and researcher including jurisdictions covered search methodology
14. responsible for such vetting and incorporation state filing etc and authentication thereof 2 verification of auditor may ask to see but not retain a copy of vetting records from required private investigator license if such license is required 3 completed one or more public record researchers If interviewed CRA favorable reference interviews from at least one current client 4 verification employees responsible for working with public record researchers of association memberships such as local Chamber of Commerce Better shall demonstrate understanding of vetting requirement prior to Business Bureau NCISS ASIS etc 5 results of test searches conducted utilizing services of public record researcher OR technology shall and 6 confirmation of certification under the NAPBS PROVIDER prevent utilization of public record researcher by CRA employees until GUIDELINES CRA Leader has enabled use CRA shall present written procedure for obtaining signed certification The Certification in which the Public Record Researcher agrees must include copy of certification and demonstrate where how signed certifications but is not limited to the following 1 to comply with all applicable local state are retained CRA shall make available the person responsible for and federal laws as well as in the manner prescribed by the jurisdiction retaining these certifications and auditor may ask to see but not which maintains the official record of the court
15. state DPPA expertise when needed CRA shall make available to auditor one or more documents which Clearly forbid bribery or any other fraudulent activity to obtain preferential treatment from a public official If interviewed CRA employees responsible for obtaining public record information shall demonstrate knowledge of anti bribery fraudulent activity policy and be able to access current documentation CRA shall affirm that they do not engage in bribery or other fraudulent activity and that CRA has navar haan canvictad of euch activity NAPBS CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA Attributes of and Suggestions for Onsite Audit What auditor should look for in policy procedure activity Compliance CRA Leader shall affirm his her role as being responsible for state consumer reporting law compliance within the organization Compliance CRA Leader shall affirm his her role as being responsible for DPPA compliance within the organization Compliance CRA Leader shall affirm his her role as being responsible for state DPPA law compliance within the organization If CRA has been convicted of bribery or other fraudulent activity auditor shall advise Accreditation Review Board Board shall review specifics of case to determine whether CRA may proceed with the accreditation process PAGE 5 OF 19 NAPBS BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM Measure amp Documentation l i Clause Typically Subject to Desk Audit
16. 1 written manuals 2 online manuals or instructions 3 classroom training 4 on the job training and or availability of expert to provide assistance when needed If classroom or on the job training is used a training outline or manual may be used PAGE 18 OF 19 NAPBS BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA Clause Measure amp Documentation Potential Verification for Onsite Audit Attributes of and Suggestions for Onsite Audit Typically Subject to Desk Audit What auditor should look for in policy procedure activity CRA shall have on staff one person designated to oversee and CRA shall employ a minimum of one person who is responsible for CRA shall present written job description policy procedure or other The person responsible for overall accreditation shall affirm his her role as administer the accreditation processes and future compliance by CRA s accreditation activity and on going compliance with documentation which identifies by name and or title the person being responsible for accreditation certification activity and on going the CRA including enforcement of the standard by all concerned applicable standards requirements as evidenced by written job responsible for accreditation activity and on going compliance CRA compliance within the organization and that s he is qualified to hold such This person shall be vested with the responsibilities and authority description s or other
17. NAPBS BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA Measure amp Documentation i eer Clause Typically Subject to Desk Audit Potential Verification for Onsite Audit Attributes of and Suggestions for Onsite Audit What auditor should look for in policy procedure activity Data Information and Security DEFINITION Consumer information includes any information identifiable to one or more consumers including that found in vendor reports spreadsheets consumer reports paper or electronic information management systems faxed documents and client communications 1 1 Information Security CRA shall have a written information security policy CRA shall CRA shall provide written information security policy CRA shall present written information security policy If questioned designate one or more individuals within the organization who are CRA employees should demonstrate knowledge of information responsible for implementing managing and enforcing the security policy and be able to access current policy information security policy CRA shall employ or retain a minimum of one person who is CRA shall present written job description policy procedure or other responsible for CRA s overall information security program This documentation which identifies by name and or title the person will be evidenced by written job description policy procedure or responsible for the overall information se
18. REDITATION STANDARD WITH AUDIT CRITERIA Attributes of and Suggestions for Onsite Audit What auditor should look for in policy procedure activity CRA may inform client that there are legal requirements regarding adverse action as part of a Client agreement User agreement or through some other document which is signed by the client and includes client acknowledgement Per the FCRA client s current legal responsibilities regarding adverse action must include 1 providing preliminary adverse action notice to consumer along with copy of consumer report and A Summary of Your Rights Under the Fair Credit Reporting Act 2 allowing consumer a designated period of time to contact CRA if consumer wishes to dispute any information in consumer report 3 providing CRA contact information 4 providing a final adverse action notice to consumer if a final adverse employment decision is made CRA shall inform clients that CRA does not function as legal counsel as part of a Client agreement User agreement or through some other document which is signed by the client and includes client acknowledgement Such acknowledgment must include but is not limited to 1 CRA is not legal counsel and does not provide legal advice 2 advising client of importance of working with their legal counsel to ensure overall screening program compliance and 3 advising clients that consumer reports provided by CRA must be used in compliance with state and federal law CRA may
19. ademic institution When advising client regarding diploma mills and putting such information in consumer report CRA shall avoid absolutes and rather use language similar to academic institution appears to be a diploma mill CRA shall provide information to employers regarding general verification business practices by using various methods which include but are not limited to 1 product descriptions 2 statement of work documents 3 written agreements and or detail provided in the verification itself Disclosed information regarding general verification business practices includes but is not limited to 1 number of attempts to verify information 2 what constitutes an attempt 3 fees charged by the employer or service provider and 4 standard question formats PAGE 13 OF 19 NAPBS BACKGROUND SCREENING AGENCY ACCREDITATION PROG RAM CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA Measure amp Documentation Clause Typically Subject to Desk Audit Potential Verification for Onsite Audit If CRA compiles maintains and resells employment or CRA shall present written policy procedure or other written CRA shall make available to auditor tools or systems used except educational verification information CRA shall have procedures documentation used to ensure that data compiled and stored is actual personally identifiable information to reasonably ensure data in place to ensure that data compiled and stored is accurate accurate inc
20. and or inappropriate use of consumer information be able to access current copv of documentation CRA shall provide written policy procedure or other document CRA employees shall demonstrate knowledge and use of proper employee handbook etc which instructs CRA employees on document destruction procedures and be able to access current appropriate document destruction procedures documentation CRA shall provide written policy procedure or other documentation CRA employees responsible for consumer disputes shall demonstrate which instructs CRA employees on consumer dispute procedures knowledge of proper consumer dispute procedures and be able to access current copy of documentation Auditor may request to see a redacted copy of dispute documentation NAPBS CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA Attributes of and Suggestions for Onsite Audit What auditor should look for in policy procedure activity The policy should include some or all of but is not limited to the following the purpose of the collection of consumer information the intended use and how the information will be shared stored and destroyed The CRA shall post this policy on its website if it has one and will make said policy available to clients and or consumers upon request utilizing at least one other method Documentation should include statement of appropriate use as being limited to business purpose
21. ation Security CRA shall provide a secure means by which public record researchers will receive orders and return search results 4 6 Auditing Procedures CRA shall maintain auditing procedures for quality assurance in regard to their active public record researchers 4 7 Identification Confirmation 3 11 2013 Measure amp Documentation Typically Subject to Desk Audit CRA shall provide written policy procedure or other written documentation describing the requirement to and method used to verify public record researcher s Errors and Omissions insurance and that such insurance remains in force If researcher does not have or cannot prove existing coverage CRA shall provide copy of CRA s insurance policy which contains E amp O coverage for uninsured underinsured public record researchers CRA shall provide written policy procedure or other written documentation describing the requirement to and method used to secure and protect consumer information when such information is being transmitted to and returned by public record researchers CRA shall provide written policy procedure or other written documentation describing the requirement to and method used to CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA Attributes of and Suggestions for Onsite Audit hotential Verification Tor Onsite audit What auditor should look for in policy procedure activity CRA shall present written procedure for obtaining proof of public The E amp O i
22. authorized recipient recipients Miscellaneous Business Practices 6 1 Character Owners officers principals and employees charged with the CRA shall provide written policy procedure or other written enforcement of company policy must consent to undergo a documentation describing the requirement for and method used to criminal records check and be found free of convictions for any conduct criminal history record checks on owners principals and crimes involving dishonesty fraud or moral turpitude employees charged with enforcement of company policy to confirm these individuals are free of convictions for any crimes involving dishonesty fraud or moral turpitude CRA shall affirm in writing that owners officers principals and employees charged with the enforcement of company policy are free of convictions for any nrimac invalvina dichanacty fraud ar maral turituda 6 2 Insurance CRA shall maintain errors and omissions insurance If CRA does CRA shall provide copy of Certificate of Insurance listing errors and not maintain errors and omission insurance CRA must self omissions policy coverage amount If CRA does not maintain insure in a manner compliant with its state s insurance errors and omissions insurance CRA must provide documentation requirements that they have self insured in conformance with state requirements 6 3 Client Authentication CRA shall have a procedure to identify and authenticate all CRA shall provide writte
23. ble the person responsible for providing includes client acknowledgement of receipt of required notices or provide notices either in person by phone OR shall provide a signed affadavit other written documentation as to CRA s policies amp procedures as to how or similar document in which the person has affirmed his her they provide such documents Per the FCRA such notices currently include responsibility for compliance with notification requirements within the 1 Notice to Users of Consumer Reports Obligations of Users under the organization FCRA and 2 A Summary of Your Rights Under the Fair Credit Reporting Act CRA shall present written procedure for obtaining signed agreement The agreement must meet requirements of FCRA which currently include 1 copy of agreement document and demonstrate where how signed permissible purpose 2 disclosure and authorization 3 adverse action 4 agreements are retained CRA shall make available the person confidentiality 5 compliance with all applicable laws and regulations and 6 responsible for retaining these agreements and auditor may ask to that client will not use consumer information in violation of any state or see but not retain a copy of signed agreements from one or more federal law including equal employment opportunity laws clients Should requested agreements predate CRA s application date for Accreditation auditor will only look to identify language regarding compliance wi
24. ch are needed to meet legal requirements regarding employer s procurement and use of consumer reports CRA shall make available the person responsible for providing sample documents or informing clients of the specific documents needed If interviewed CRA employees shall demonstrate knowledge of client required documents be able to access current copy of documentation AND OR CRA employees shall identify person s to address such topics CRA shall present written procedure for providing information to clients that accurately describes consumer reporting products including one or more samples of provided documents If consumer reports are used to demonstrate full and accurate consumer reporting product disclosure all personally identified information shall be redacted and auditor will not retain copy If interviewed CRA employees shall demonstrate knowledge that consumer reporting product descriptions exist where such descriptions are documented AND OR the person responsible for CRA s consumer reporting nradunte 3 11 2013 NAPBS CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA Attributes of and Suggestions for Onsite Audit What auditor should look for in policy procedure activity CRA shall inform clients that they have legal responsibilities and recommend that clients seek legal counsel as part of a Client agreement User agreement or through some other document which is signed by the client and includes but is not limited to client a
25. cknowledgement of legal responsibilities Per the FCRA current legal responsibilities include 1 having permissible purpose 2 disclosing to consumer 3 obtaining consumer authorization 4 following prescribed adverse action procedures 5 complying with all applicable state and federal law and 6 obtaining retaining using and destroying data in a nanfidantial mannar CRA shall provide samples of documents which are required for client to procure and use consumer reports or shall inform them of required documents These may include but are not limited to 1 disclosures and authorizations to meet current federal and state requirements including special disclosure and authorization requirements in CA OK MN and NY 2 required forms and or information to obtain statewide criminal record searches in those states where currently required including AK IN MA NH NM NV OH VA WV WY 3 required forms and or information to obtain driving records in those states where currently required including CA CO DE GA MD MI NH OH PA WA CRA may also provide sample disclosure authorization and or adverse action notices CRA may also include other documents which must be provided to clients as described in mn ani Information disclosed regarding consumer reporting products shall include but is not limited to 1 identification of information source s 2 type of source 3 scope of records searched 4 and search methodology It is prefe
26. curity program other documentation If various people are responsible for different aspects of the program one person shall hold overall responsibility as evidenced by job description organizational chart or other dactumentatinn 1 2 Data Security CRA shall have procedures in place to protect consumer CRA shall provide written procedures in place to protect consumer CRA employees dealing with consumer information shall be able to information under the control of the CRA from internal and information from unauthorized electronic and or physical access _ explain and demonstrate procedures for protecting consumer external unauthorized access These procedures shall include This includes the collection use storage and destruction of information in their posession whether such information is used specifications for the securing of information in both hard copy consumer information in both paper and electronic form internally and or externally and be able to access current and electronic form including information stored on portable documentation CRA will also be able to demonstrate electronic and and or removable electronic devices physical protection of consumer information 1 3 Intrusion and Data Security CRA shall have procedures in place to detect investigate and CRA shall provide procedures for detecting and identifying CRA shall make available the procedure process and or tools used respond to an information system intrusion includi
27. d stored and destroyed The CRA shall post this policy on its Web site if it has one and will make said policy available to clients and or consumers upon request in at least one other format 1 9 Unauthorized Browsing CRA shall have a policy that prohibits workers from searching files and databases unless they have a bona fide business necessitv 1 10 Record Destruction When records are to be destroyed or disposed of CRA shall follow FTC regulations and take measures to ensure that all such records and data are destroyed and unrecoverable 1 11 Consumer Disputes CRA shall have procedures in place for handling and documenting a consumer dispute that comply with the federal FCRA 1 12 Sensitive Data Masking 3 11 2013 Measure amp Documentation Typically Subject to Desk Audit Potential Verification for Onsite Audit CRA shall provide a copy of the Consumer Information Privacy CRA employees shall be able to access current copy of Privacy Policy along with the address of the policy on the CRA s website if Policy and describe process by which privacy policy may be CRA has website and an explanation of other means by which communicated externally privacy policy is communicated CRA shall provide written policy procedure or other document CRA employees with access to consumer information shall employee handbook etc which instructs CRA employees on demonstrate knowledge of proper use of consumer information and appropriate
28. demonstration of security tools in use For each transmission faxed a cover page should always be used and must not contain any method CRA may be asked to demonstrate the security controls personally identifiable information 4 if faxed CRA shall have verified which are in use receiving fax is in a non public location 5 if transmitted using CRA network such network should be secured using a minimum of 128 SSL 6 if transmitted via Internet data shall be encrypted or protected in a comparable mannar CRA shall present written documentation for auditing public record Audit procedures for public record researchers may include but are not researchers CRA shall make available the person responsible for limited to 1 an established protocol for auditing researchers 2 sending audit public record researchers in order to actively monitor quality of such audits and auditor may ask to see but not retain copy of audit research requests where result is already known 3 how returned results are researcher work results for one or more public record researchers compared to expected results and 4 process for dealing with researcher errors up to and including termination of services It is recommended that test cases be entered in a log with results that may include A date of test B unique identifier such as order number or subject name plus last four digits of SSN C results returned D whether results were as expected and E any ramod
29. e importance of working with counsel to legal counsel and cannot provide legal advice CRA shall provide develop an employment screening program specific to their copy of document used to so inform client and such document shall needs CRA shall also communicate to client the necessity to include advising client to work with legal counsel regarding client s work with counsel to ensure that client s policies and procedures specific screening program policies procedures to ensure legal related to the use of CRA provided information are in compliance compliance with applicable state and federal laws 3 6 Understanding Consumer Reports CRA shall provide guidance to client on how to order retrieve CRA shall provide written policy procedure or other documentation read and understand the information provided in consumer describing how when clients are provided with information regarding reports provided by the CRA obtaining and understanding consumer reports CRA shall provide copy of document s used to so inform client shall demonstrate online tools information such as User Guide provided to clients or other method s used to assist clients 3 7 Information Protection CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA Potential Verification for Onsite Audit CRA shall present written procedure for informing client that there are legal requirements regarding adverse action and advising client to consult with legal counsel CRA shall make a
30. f one independent third party and or 5 previous experience of CRA when Ft arene Pen Consumer identification processes may include but are not limited to confirmation of 1 full name 2 date of birth 3 street address used on application or authorization document 4 last four digits of SSN and 5 driver s license number CRA s should retain records to comply with the limitation of liability action per the FCRA which is currently not later than the earlier of 1 2 years after the date of discovery by the plaintiff of the violation that is the basis for such liability or 2 5 years after the date on which the violation that is the basis for such liability occurs CRA s are subject to the FTC s document destruction rule which currently requires secure destruction through means that are reasonable and appropriate to prevent the unauthorized access to or use of information in a consumer report For example establishing and complying with policies to burn pulverize or shred papers so that the information cannot be read or reconstructed destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed or conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as Certification language may include but is not limited to agreement by employee to 1 hold use and destroy all client and consumer information i
31. fication of caller before providing consumer information 6 employee badging or other identification system 7 unescorted visitor policy 8 secure document destruction 9 secure transport of information 10 use of encryption and or secure networks and or websites 11 password assignment and replacement 12 controlling use of portable storage devices 13 alarm systems 14 door locks and 15 secure server PA al eal Py Pee CRA should be able to present proof of tools used to protect network data and consumer information This may be intrusion detection testing results firewall protections used secure website etc PAGE 1 OF 19 NAPBS BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA Clause ically Sabicea Desk Ae dit Potential Verification for Onsite Audit CRA shall provide procedures for responding to information system CRA shall make available the procedure process and or tools used intrusions including how consumer notification requirements are to respond to intrusions If questioned CRA employees should determined demonstrate knowledge of procedure to be followed in case of intrusion or suspected intrusion and be able to access current documentation 1 4 Stored Data Security CRA shall have procedures in place to ensure backup data is CRA shall provide written policy procedure or other documentation CRA shall make available the individual responsible for data backup stored in a
32. fy must be documented where such requirements are documented identify the person responsible for CRA s products and processes AND OR technology shall automatically capture attempts to verify and related information NAPBS CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA CRA shall make available to auditor tools systems or methods used Attributes of and Suggestions for Onsite Audit What auditor should look for in policy procedure activity This clause addresses organizations that compile information for potential future use or sale CRA may provide information regarding accuracy of stored data to employees who are responsible for such accuracy by using various methods which include but are not limited to 1 written manuals 2 online manuals or instructions 3 classroom training 4 on the job training and or availability of expert to provide assistance when needed If classroom or on the job training is used a training outline or manual may be used Methods used to reasonably ensure accuracy of stored data include but are not limited to criteria for inclusion into the database criteria for redaction from the database criteria for correcting inaccuracies and handling consumer disputes CRA may provide information regarding use of stored adverse data to employees who are responsible for using such data by using various methods which include but are not limited to 1 written manuals 2 online manuals or instructions 3 classro
33. has enabled use 5 9 Conflicting Data Should CRA receive information from the verification source subsequent to the delivery of the consumer report and as a direct result of the initial inquiry that conflicts with originally reported information and that new information is received within 120 days of the initial report or as may be required by law CRA shall have procedures in place to notify client of such information CRA shall provide written policy procedure or other documentation describing how conflicting data when received within 120 of report completion and as a direct result of original inquiry is provided to client who originally ordered such report CRA employees responsible for reporting conflicting data as described in 5 9 shall demonstrate knowledge of proper procedures and be able to access current copy of documentation 5 10 Professional Conduct CRA shall train all employees engaged in verification work on CRA shall provide written policy procedure or other documentation CRA shall make available to auditor any materials used to train CRA procedures for completing verifications in a professional manner which instructs all CRA employees engaged in verification work on employees engaged in verification work on professionalism when procedures for completing verifications in a professional manner conducting verifications If interviewed CRA employees who conduct such verification work shall describe training which wa
34. ial actiane takan NAPBS CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA PAGE 11 OF 19 NAPBS BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM Clause CRA shall follow reasonable procedures to assure maximum possible accuracy when determining the identity of a consumer who is the subject of a record prior to reporting the information CRA shall have procedures in place to notify client of any adverse information that is reported based on a name match only Measure amp Documentation Typically Subject to Desk Audit CRA shall provide written policy procedure or other written documentation describing procedures used to assure maximum possible accuracy when determining the identity of a consumer who is the subject of a record prior to reporting the information CRA shall provide written policy procedure or other written documentation describing procedures used to notify client of any CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA Potential Verification for Onsite Audit CRA shall present written documentation for assuring maximum possible accuracy when determining the identity of a consumer who is the subject of a record prior to reporting the information CRA shall present written documentation for notifying client of any adverse information that is reported based on a name match only CRA shall make available the person responsible for ensuring compliance Attributes of and Suggestions for Onsite Audit What auditor sh
35. iality security and legal compliance practices by using one or more methods which include but are not limited to 1 written material 2 online training 3 training classes webinars 4 one on one training sessions and or 5 on the job trainina Visitor security policy must include method s wihch prevent visitors from accessing consumer information These methods may include but are not limited to 1 use of sign in out registry 2 issuance of temporary badges 3 situations in which a CRA employee must escort the visitor 4 controlled access to systems and data and 5 controlled access to areas of facility in which consumer information is readilv available on screens or hard conv The evaluation of employee criminal check results and employment continued employment must comply with applicable state or federal law in relation to work performed by the CRA and licenses held by the CRA such as private investigator The evaluation of employee criminal check results may also include but are not limited to 1 position employee holds or will hold with CRA 2 the nature of the offense s 3 the time elapsed since the offense s occurred 4 the conduct of the employee since the offense s 5 evidence of rehabilitation and 6 employment history CRA may provide information regarding quality and accuracy of work product to employees who are responsible for such quality and accuracy by using various methods which include but are not limited to
36. identify person s to address such topics CRA shall provide written policy procedure or other written CRA shall present written procedure for obtaining signed agreement documentation describing how a signed agreement covering scope copy of agreement and demonstrate where how signed agreements of services is obtained from and retained for all current public are retained CRA shall make available the person responsible for record researchers CRA shall also provide copy of current obtaining and retaining these agreements and auditor may ask to see agreement Note This agreement may also incorporate but not retain a copy of signed agreements from one or more public Certification requirements of Clause 4 3 record researchers Agreements executed prior to the CRA s application date for Accreditation need not be in full conformance with this clause until such time the CRA undergoes the interim surveillance audit before the end of the 3rd year of the Accreditation so as to provide the CRA time to update all researcher agreements If interviewed CRA employees responsible for working with public record researchers shall demonstrate understanding of requirement for signed agreement prior to utilizing services of public record researcher OR technology shall prevent utilization of public record researcher by CRA employees until CRA Leader has enabled use NAPBS CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA specified in Clause 1 10 Per the DPPA
37. irming company institution name and address matches that provided by consumer and 3 obtaining name and title of person to whom request will be sent This clause refers only to the entity being accreditated and not any parent company It covers owners managers and supervisory personnel who are charged with enforcement of company policy See Clause 6 10 for all CRA employees Criminal record checks shall be free of criminal convictions for dishonesty fraud or moral turpitude None CRA shall present written procedure for athenticating new clients and Client authentication methods may include but are not limited to 1 demonstrate where how authentication results are retained CRA shall make available the person responsible for such authentication and auditor may ask to see but not retain a copy of authentication records from one or more client companies If interviewed CRA employees responsible for providing consumer information to clients shall demonstrate understanding of authentication requirement prior to providing consumer information to clients OR technology shall prevent providing such information to clients until CRA Leader has anaoahlad nrannce 3 11 2013 NAPBS CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA obtaining evidence of right to conduct business such as copy of business license articles of incorporation state filing etc and authentication thereof 2 verification of working business phone fax email and webs
38. istance when needed If classroom or on the job training is used a training outline or manual may be used Information regarding handling and reporting of conflicting data should include but is not limited to 1 confirmation that conflicting information is specifically related to same consumer same customer and original report 2 verification of the authenticity of the conflicting information and its source 3 method used to update report and 4 method used to provide updated information to consumer and customer and 5 the form in which the update is provided CRA may provide information to employees regarding professionalism when conducting verifications by using one or more methods which include but are not limited to 1 written material 2 online training 3 training classes webinars 4 one on one training sessions and or 5 on the job trainina PAGE 15 OF 19 NAPBS BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM Measure amp Documentation Clause Typically Subject to Desk Audit CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA Potential Verification for Onsite Audit If CRA is requesting verification by phone fax email or mail CRA shall provide written policy procedure or other documentation CRA shall present written procedure for confirming a verification CRA shall have procedures in place to confirm that verification used to require that verification requests are directed to authorized request is directed to an
39. ite 3 verification of listing in business directories such as yellow pages Hoover s Dun and Bradstreet etc and 4 onsite inspection to confirm business facility exterior and interior appearance meet common business norms for this type of business PAGE 16 OF 19 NAPBS BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM Clause CRA shall have a procedure to identify and authenticate all vendors prior to disclosing consumer information The procedure shall require the CRA to maintain written records regarding the qualification of each vendor who receives consumer information 6 5 Consumer Authentication CRA shall develop and implement requirements for what information consumers shall provide as proof of identity prior to providing file disclosure to the consumer The CRA shall maintain procedures to document the information used to identify each consumer to whom file disclosure is provided 6 6 Document Management CRA shall have a written record retention and destruction policy pursuant to the federal FCRA 6 7 Employee Certification CRA shall require all workers to certify they will adhere to the confidentiality security and legal compliance practices of the CRA 3 11 2013 Measure amp Documentation Typically Subject to Desk Audit CRA shall provide written policy procedure or other written documentation describing the requirement for and method used to authenticate vendors prior to disclosing any consumer information
40. kup and store data should include limiting backup to select authorized individuals secure transport of backup tapes to storage facility and security at the storage location At a minimum this includes locked storaae facility and password protected access CRA should demonstrate that password is required for sign on and also demonstrate procedure for changing password Required password should be a minimum of six 6 characters preferably using both alpha and numeric characters Records of password issuance should be securely maintained A biometric solution would also be acceptable Process should include some or all of but is not limited to 1 how users apply for and receive access 2 authorization needed for access 3 access parameters 4 password issuance replacement expiration 5 monitoring tools and 6 recordkeeping Process procedure should include some or all of but is not limited to the following 1 procedures for granting levels of access to CRA personnel e g assignment of keys or security system passcodes 2 procedures for authorizing and monitoring guests including the auditor to the facility and 3 control of access bv staff continaent workers vendors etc PAGE 2 OF 19 NAPBS BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM Clause CRA shall have a Consumer Information Privacy Policy detailing the purpose of the collection of consumer information the intended use and how the information will be share
41. luding procedures for handling consumer disputes If compiled and stored is accurate If interviewed CRA employees including procedures for handling consumer disputes CRA does not compile maintain and resell employment or responsible for accuracy of stored data shall demonstrate knowledge education information CRA shall provide written affirmation to that of accuracy requirement and describe methodology used to ensure effect accuracy CRA employees responsible for accuracy of stored data shall be able to access current copy of documentation identify person s responsible for accuracy of stored data AND OR utilize technology to control the addition or deletion of information in the database s 5 6 Use of Stored Data If CRA provides investigative consumer reports from stored data CRA shall present written policy procedure or other written CRA shall make available to auditor tools or systems used except CRA shall have procedures in place to ensure the CRA does not documentation to ensure CRA does not provi provide previously reported adverse information unless it has adverse information stored in CRA s database unless it has been re adverse data older than 3 months or less if so required by applicable been re verified within the past three months or for a shorter time verified within the past three months or for a de previously reported actual personally identifiable information to reasonably ensure that shorter time if required law in
42. n a secure manner 2 provide consumer information to third parties only after following defined authentication procedures 3 abide by physical security practices 4 abide by information security practices and 5 follow all camonliance nracticas nf the CRA PAGE 17 OF 19 NAPBS BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM Measure amp Documentation l Clause Typically Subject to Desk Audit 6 8 Worker Training CRA shall provide training to all workers on confidentiality CRA shall provide written policy procedure or other documentation security and legal compliance practices of the CRA which describes the requirement for and methodology used to train CRA employees on the confidentialiy security and legal compliance procedures of the CRA 6 9 Visitor Security CRA shall utilize a visitor security program to ensure visitors do CRA shall provide written policy procedure or other documentation not have access to consumer information which describes the visitor security program and how visitors are prevented from accessing consumer information 6 10 Employee Criminal History CRA shall conduct a criminal records check on all employees CRA shall provide written policy procedure or other documentation with access to consumer information when such searches can be which describes the requirement for and methodology used to conducted without violating state or federal law These searches conduct criminal record checks ever
43. n encrypted or otherwise protected manner explaining data backup storage and access procedures and storage This individual shall be able to describe and or provide documentation related to backup and data storage 1 5 Password Protocol CRA shall require strong password protocol pursuant to current CRA shall provide written policy procedure or other documentation CRA shall make available the individual responsible for password security best practices which explains password protocol and how such protocol is used protocol This individual shall be able to describe and or provide documentation related to password characteristics assignment replacement and recordkeeping If questioned CRA employees who use passwords shall explain process to obtain a password for him herself and or client and be able to access current dacumentatian 1 6 Electronic Access Control CRA shall have procedures in place to control access to all CRA shall provide written policy procedure or other documentation CRA shall make available the individual responsible for controlling electronic information systems and electronic media that contain explaining how access rights to consumer information are access to consumer information This individual shall be able to consumer information CRA shall have procedures in place to controlled administered and limited describe and or provide documentation and or provide a administer access rights Users shall only be given the
44. n policy procedure or other written clients prior to disclosing consumer reports or other consumer documentation describing the requirement for and method used to information The procedure shall require the CRA to maintain authenticate clients prior to providing consumer reports or any written records regarding the qualification of each client who consumer information to client receives consumer reports or other consumer information 6 4 Vendor Authentication request is being sent to authorized individual If interviewed CRA employees responsible for processing verification requests shall demonstrate knowledge of proper authentication procedures and shall be able to access current copy of documentation CRA shall present written procedure for conducting criminal history record checks on owners principals and employees charged with the enforcement of company policy CRA shall also demonstrate how results are reviewed for acceptability and where records are retained CRA shall make available the person responsible for these checks and auditor may ask to see but not retain a copy of criminal history check results None Attributes of and Suggestions for Onsite Audit What auditor should look for in policy procedure activity Procedures used to ensure verification requests are sent to an authorized recipient may include but are not limited to 1 confirming method used by information source to provide verification information 2 conf
45. ng consumer information system intrusions unauthorized access to computer to monitor access and identify potential intrusions notification where warranted systems and or consumer data 3 11 2013 NAPBS CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA This is an overarching information security policy which broadly addresses security within the CRA environment This policy may reference other security policies and or procedures dealing with specific security topics The security topics addressed may include some or all of the following but are not limited to confidentiality agreements with vendors and employees physical security of consumer information electronic security of consumer information communicating consumer information to vendors clients and other parties providing and communicating information to consumers permissible uses of portable and or removeable electronic storage devices CRA shall make available documentation which clearly identifies person by name and title who is responsible for overall information security program The policies and procedures designed to protect consumer information may include some or all of the following but are not limited to 1 securing unattended workstations 2 limited access to networks data and work areas 3 limiting consumer information provided to information sources to only that information which is needed to conduct a search 4 destruction of hard copy documents 5 identi
46. not limited to 1 written manuals 2 online manuals or instructions 3 classroom training 4 on the job training and or availability of expert to provide assistance when needed If classroom or on the job training is used a training outline or manual should be used Methods used to reasonably ensure consumer s current employer is directly contacted only with authorization may include but are not limited to 1 authorization provided on employment application 2 explicit authorization provided within Disclosure Authorization signed by consumer 3 Specific directive provided by client AND OR 4 technology shall prevent verification of current employment by CRA employees until CRA Leader has so enabled CRA may provide information regarding verification of academic credentials from diploma mills to employees who are responsible for such verification by using various methods which include but are not limited to 1 written manuals 2 online manuals or instructions 3 classroom training 4 on the job training and or availability of expert to provide assistance when needed If classroom or on the job training is used a training outline or manual should be used Methods used to reasonably ensure identification of diploma mill include but are not limited to 1 a check of CRA s existing database or list of known diploma mills 2 a check with the council for higher education 3 state education departments and or 4 an internet search of the ac
47. nsibility and or procedures 4 process for updating correcting consumer report 5 recordkeeping and 6 procedure to help prevent future occurrences such as recommendation for training software change etc PAGE 3 OF 19 NAPBS BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM Clause CRA shall have a procedure to suppress or truncate Social Security numbers and other sensitive data elements as required by law 1 13 Database Criminal Records When reporting potentially adverse criminal record information derived from a non government owned or non government sponsored supported database pursuant to the federal FCRA the CRA shall either A verify the information directly with the venue that maintains the official record for that jurisdiction prior to reporting the adverse information to the client or B send notice to the consumer at the time information is reported Legal and Compliance 2 1 Designated Compliance Person s The CRA shall designate an individual s or position s within the organization responsible for CRA s compliance with all sections of the federal FCRA that pertain to the consumer reports provided by the CRA for employment purposes 2 2 State Consumer Reporting Laws 3 11 2013 Measure amp Documentation Typically Subject to Desk Audit CRA shall provide written policy procedure or other documentation describing suppression truncation or other methods used to protect and limit exposure of SSN s and
48. nsurance should be in force and cover CRA and CRA public record record researcher s E amp O insurance and demonstrate where how such researchers No specific amount is required but a minimum of two million in proof documentation is retained CRA shall make available the coverage is recommended person responsible for retaining this proof and auditor may ask to see but not retain a copy of such proof from one or more public record researchers In addition auditor may ask to see but not retain copy of CRA s E amp O insurance policy in which coverage for uninsured underinsured public record researchers is provided If interviewed CRA employees responsible for working with public record researchers shall demonstrate understanding of E amp O requirement prior to utilizing services of public record researcher OR technology shall prevent utilization of public record researcher by amni am CRA shall present written procedure for sending consumer Security procedures for personally identifiable information should include but information to and receiving consumer information from public record are not limited to 1 all transmissions should directed to a named party 2 researchers CRA shall make available the person responsible for all transmissions must be clearly marked as CONFIDENTIAL and include a security of transmitted consumer information and auditor may ask to request to notify sender if received by someone other than named party 3 if see
49. om training 4 on the job training and or 5 availability of expert to provide assistance when needed If classroom or on the job training is used a training outline or manual may be used Such information and or training shall include what constitutes adverse information for different types of background checks through 1 definition 2 examples and or 3 by referring CRA employees to designated expert CRA may provide information regarding attempts to verify and related information to employees who are responsible for data verification by using various methods which include but are not limited to 1 written manuals 2 online manuals or instructions 3 classroom training 4 on the job training and or availability of expert to provide assistance when needed If classroom or on the job training is used a training outline or manual may be used Information regarding attempts to verify should include but is not limited to 1 date and time of contact or attempted contact 2 method of contact such as phone number dialed fax number used email address used address to which information was mailed etc 3 name and title of contact 4 results of attempt and 4 the CRA employee who made the attempt or obtained LE PEREON AAR PAGE 14 OF 19 NAPBS BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM Measure amp Documentation Clause Typically Subject to Desk Audit Potential Verification for Onsite Audit 5 8 Outsourced Verifica
50. on Typically Subject to Desk Audit CRA shall provide written policy procedure or other written CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA Attributes of and Suggestions for Onsite Audit Rotental Verification Tor Onsite Audit What auditor should look for in policy procedure activity CRA shall present written procedure for vetting new public record The vetting records may include but are not limited to 1 evidence of right to documentation describing the requirement to and methodology used researchers and demonstrate where how vetting results are retained conduct business such as copy of business license articles of to vet or qualify new public record researchers CRA shall provide written policy procedure or other written documentation describing how when where the signed certification local state and federal laws as well as in the manner prescribed is obtained from and retained for all current public record by the jurisdiction which maintains the official record of the court researchers CRA shall also provide copy of current certification never obtain information through illegal or unethical means and Note This certification may be incorporated in or an appendix to utilize document disposal and or destruction methods pursuant to the Public Record Researcher Agreement described in Clause the federal FCRA 4 4 Errors and Omissions Coverage E amp O 3 11 2013 41 CRA shall make available the person
51. onsible for court jurisdictional knowledge CRA shall make this 4 court experience 5 investigator experience and or 6 three years work the jurisdictional level as evidenced by job description or other person available either in person by phone OR shall provide a signed experience with court records with the current CRA employer or other CRA s documentation If multiple people are responsible one person shall affidavit or similar document in which the person has affirmed their Compliance CRA Leader shall affirm his her role as being responsible for hold CRA Leadership role and overall responsibility as evidenced responsibility for court jurisdictional knowledge within the organization court jurisdictional knowledge within the organization and that s he is qualified by written job description or other documentation and that s he is qualified to hold such responsibility If interviewed to hold such responsibility this individual shall demonstrate knowledge of court and jurisdictional knowledge as well as identifying resources for additional information If interviewed CRA employees shall identify the person s who can provide court jurisdictional expertise when needed An individual may be qualified if they have one or more of the following 1 CRA shall provide qualifications of Court Jurisdictional Knowledge CRA Leader CRA shall provide evidence of qualifications by presenting resume N A educational credentials experience and or othe
52. other sensitive data elements as required by law CRA shall provide written policy procedure or other documentation describing method s used to comply with current FCRA requirements of source verification or sending notice to the consumer at the time information is reported CRA shall employ a minimum of one person who is responsible for CRA s development implementation and on going compliance with all applicable sections of the FCRA as evidenced by written job description s or other documentation If multiple people are responsible one person shall hold CRA Leadership role and overall responsibility as evidenced by written job description or other documentation CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA Attributes of and Suggestions for Onsite Audit Potential verincation Tor Onsite Audit What auditor should look for in policy procedure activity CRA employees shall demonstrate knowledge of proper procedures Documentation should include but is not limited to 1 No more than the final for use of SSN s and other sensitive data elements as required by law four digits of SSN s shall be communicated in any form outside CRA and CRA employees shall be able to access current documentation employees unless an approved exception exists 2 When use of SSN and If interviewed CRA employees shall demonstrate understanding of other sensitive data elements as required by law is needed internally or proper use and protection of SSN s and othe
53. ould look for in policy procedure activity Recommended procedures may include but are not limited to 1 matching a minimum of two identifiers which may include name date of birth SSN current and previous addresses and or driver s license number and or 2 stating in client report which identifiers were used to conclude a match existed and or 3 stating information is based on a name match only if CRA reports based on single identifier adverse information that is reported based on a name match only with CRA s policy in regard to assuring maximum possible accuracy when reporting adverse information based on a name match only CRA employees responsible for such identification shall demonstrate knowledge of identification requirement and be able to access current po re Pa Se 4 8 Jurisdictional Knowledge The CRA shall designate a qualified individual s or position s within the organization responsible for understanding court terminology as well as understanding the various jurisdictional court differences if CRA reports court records CRA shall employ or retain a minimum of one person who is CRA shall present written job description policy procedure or other responsible for CRA s understanding implementation and on going documentation which identifies by name and or title the person criminal justice degree 2 law enforcement experience 3 legal experience use of court terminology as well as variances which may exist at _ resp
54. r documentation 5 1 Verification Accuracy CRA shall maintain reasonable procedures to assure maximum possible accuracy when obtaining recording and reporting verification information CRA shall provide written policy procedure or other documentation CRA shall make available to auditor tools or systems used except CRA may provide information regarding verification accuracy to employees used to reasonably ensure accuracy and thoroughness in the actual personally identifiable information to reasonably ensure who are responsible for such accuracy by using various methods which may verification process verification accuracy If interviewed CRA employees responsible for include but are not limited to 1 written manuals 2 online manuals or verification accuracy shall demonstrate knowledge of accuracy instructions 3 classroom training 4 on the job training and or availability of requirement describe methodology by which they learn how to obtain expert to provide assistance when needed If classroom or on the job training accurate verifications CRA employees responsible for verification is used a training outline or manual may be used Methods used to accuracy shall be able to access current copy of documentation reasonably ensure verification accuracy may include but are not limited to AND OR CRA employees shall identify person s responsible for confirmation of identity through verification of SSN full name and or date of accuracy bi
55. r sensitive data elements externally the data exposed shall be limited to only that which is needed for as required by law AND if applicable the use of technology to the specific business purpose which has been identified 3 When protect SSN s and other sensitive data elements as required by law communicating SSN s or other data elements as required by law outside the CRA anviranmant_caciira tranenart mathnde chall ha ticad CRA employees responsible for the use of non governmental criminal The policy procedure should include either 1 process for verification of record databases shall demonstrate knowledge of compliant database information by researching in the originating jurisdiction venue or 2 database reporting and be able to access current documentation process to inform applicant of potentially adverse information being reported to employer prospective employer CRA shall present written job description policy procedure or other Compliance CRA Leader shall affirm his her role as being responsible for documentation which identifies by name and or title the person FCRA compliance within the organization responsible for FCRA compliance CRA shall make this person available either in person by phone OR shall provide a signed affadavit or similar document in which the person has affirmed their responsibility for FCRA compliance within the organization If interviewed CRA employees shall identify the person s who can provide FCRA
56. rred that disclosure of information source type of source scope of search and search methodology be included in consumer reports Lacking such disclosure reports should explain how user of consumer report may obtain such information PAGE 7 OF 19 NAPBS BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM Measure amp Documentation Clause Typically Subject to Desk Audit CRA shall inform client that there are legal requirements imposed CRA shall provide written policy procedure or other documentation by the federal FCRA and in some instances state consumer describing how when clients are informed that there are legal reporting laws regarding taking adverse action against a requirements imposed by the federal FCRA and in some instances consumer based on a consumer report CRA shall recommend state consumer reporting laws regarding taking adverse action to client that they consult with counsel to develop a legally against a consumer based on a consumer report CRA shall also compliant adverse action policy provide copy of document used to recommend to client that they consult with counsel to develop a legally compliant adverse action policy 3 5 Legal Counsel CRA shall communicate to client that they are not acting as legal CRA shall provide written policy procedure or other documentation counsel and cannot provide legal advice CRA shall describing how when clients are informed that CRA is not acting as communicate to client th
57. rth 2 confirmation of information source name address and contact information and 3 soliciting information from a source rather than providing leading information i e asking for job title rather than providing title and A eee Nee ae ems ees 3 11 2013 NAPBS CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA PAGE 12 OF 19 NAPBS BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM Clause 5 2 Current Employment CRA shall have procedures in place to contact consumer s current employer directly only when authorized by client and or consumer 5 3 Diploma Mills When attempting educational verifications from known or suspected diploma mills CRA shall have procedures in place to advise client of such 5 4 Procedural Disclosures CRA shall provide full disclosure to clients about general business practices regarding number of attempts to verify information what constitutes an attempt locate fees fees charged by the employer or service provider and standard question formats prior to providing such services 5 5 Verification Databases 3 11 2013 Measure amp Documentation Typically Subject to Desk Audit CRA shall provide written policy procedure or other documentation used to ensure consumer s current employer is not contacted direclty unless consumer and or client has provided explicit authorization CRA shall provide written policy procedure or other documentation used to reasonably ensure validity of academic
58. s only and include prohibition of browsing Documentation should require all consumer and client information be disposed of securely as to render information inaccessible unreadable and or unrecoverable per current FTC rules in which the following methods are permitted 1 burning pulverizing or shredding 2 destroy or erase electronic files and or 3 after conducting due diligence hire a document destruction company In addition paper documents containing personally identifiable information particularly name date of birth and SSN if retained at individual desks workstations shall be destroyed or inaccessible no later than tha and nf aanh work daw The policies and procedures designed to handle consumer disputes must meet FCRA requirements which include but are not limited to 1 no charge to consumer 2 re investigate correct and or delete disputed information within 30 days or 45 days if extended of notice of dispute 3 notify information provider of dispute within 5 days of receipt 4 consider information provided by consumer 5 advise consumer if dispute is deemed frivolous or irrelevant 6 notify appropriate parties of dispute results and 7 comply with consumer request for description of re investigation process In addition CRA should document 1 responsibility of CRA employee receiving consumer dispute 2 how incoming consumer dispute letters emails phone calls should be routed upon receipt 3 re investigation respo
59. s received 5 11 Authorized Recipient 3 11 2013 NAPBS CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA Attributes of and Suggestions for Onsite Audit What auditor should look for in policy procedure activity The agreement should include but is not limited to 1 the requirement to conduct all verifications in full compliance with applicable law and regulation 2 scope of services provided 3 methods used to obtain information 4 time frame for communication and completion of requests 5 methodology for confirming identity of subject of verification 6 confidentiality requirements 7 reinvestigation requirements 8 documented attempts to verify per Clause 5 4 9 background check requirements and acceptable results for provider s employees and 10 signed non disclosure agreements from provider s employees In particular the agreement should emphasize confidentiality requirements including A the legal requirement to treat all consumer information as confidential B secure data transmission and C secure and timely disposal of confidential information CRA may provide information regarding processing and reporting of conflicting data to employees who have this responsibility by using various methods which include but are not limited to 1 written manuals 2 online manuals or instructions 3 classroom training 4 on the job training and or availability of expert to provide ass
60. th FCRA CRA employees responsible for activating client access to CRA systems products shall demonstrate knowledge that pre requisites exist before client is permitted access to CRA s products systems and how the employee knows it is permissible to activiate access 3 11 2013 NAPBS CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA PAGE 6 OF 19 NAPBS BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM Measure amp Documentation Clause Typically Subject to Desk Audit CRA shall have procedures in place to inform client that they CRA shall provide written policy procedure or other documentation have legal responsibilities when using consumer reports for describing how when clients are informed that they have legal employment purposes CRA shall recommend that client consult responsibilities when using consumer reports for employment their legal counsel regarding their specific legal responsibilities purposes and when how CRA recommends that clients consult their legal counsel regarding client s specific legal responsibilities 3 2 Client Required Documents CRA shall provide sample documents or inform client of specific CRA shall provide written policy procedure or other documentation documents which are needed to meet legal requirements describing how when clients are provided with sample documents regarding employer s procurement and use of consumer reports or how when clients are informed of specific documents which are needed
61. ther fraudulent activity to obtain preferential treatment from a public official 2 6 Prescribed Notices 3 11 2013 CRA s development implementation and on going compliance with all applicable state consumer reporting law as evidenced by written job description s or other documentation If multiple people are responsible one person shall hold CRA Leadership role and overall responsibility as evidenced by written job description or other documentation CRA shall employ a minimum of one person who is responsible for CRA s development implementation and on going compliance with all applicable DPPA law as evidenced by written job description s or other documentation If multiple people are responsible one person shall hold CRA Leadership role and overall responsibility as evidenced by written job description or other documentation CRA shall employ a minimum of one person who is responsible for CRA s development implementation and on going compliance with all applicable state DPPA laws as evidenced by written job description s or other documentation If multiple people are responsible one person shall hold CRA Leadership role and overall responsibility as evidenced by written job description or other documentation CRA shall provide written policy procedure or other written documentation such as an employee handbook clearly forbidding bribery or any other fraudulent activity to obtain preferential treatment from a public official
62. tion Services CRA shall require a signed agreement from all providers of outsourced verification services The agreement shall clearly outline the scope of services to be provided verification methodology documentation of verification efforts disclosure of findings time frame for communication and completion of requests confidentiality requirements reinvestigation requirements and other obligations as furnishers of information under the federal FCRA CRA shall provide written policy procedure or other written documentation describing how a signed agreement covering scope of services is obtained from and retained for all current outsourced verification service providers CRA shall also provide copy of current agreement If CRA does not utilize stored data CRA shall provide written affirmation to that effect CRA shall present written procedure for obtaining signed agreement copy of agreement and demonstrate where how signed agreements are retained CRA shall make available the person responsible for obtaining and retaining these agreements and auditor may ask to see but not retain a copy of signed agreements from one or more outsourced verification service providers If interviewed CRA employees responsible for working with these providers shall demonstrate understanding of requirement for signed agreement prior to utilizing services of provider OR technology shall prevent utilization of provider by CRA employees until CRA CRA Leader
63. tion is retained CRA shall present written document retention and destruction policy CRA shall make available the person responsible for document retention and destruction If interviewed this person shall demonstrate understanding of retention and destruction requirements CRA shall present written procedure for obtaining employee written certification that employee will adhere to CRA s confidentiality security and legal compliance practices If questioned CRA employees shall confirm they were required to provide this certification Auditor may ask to see but not retain copy of the certification sianed hv nne nr mare emnlavees NAPBS CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA Attributes of and Suggestions for Onsite Audit What auditor should look for in policy procedure activity In the case of vendors which are recognized and commonly utilized by CRAs a signed agreement between the vendor and CRA will suffice as authentication Such vendors include but are not limited to major credit bureaus repositories of education and employment data motor vehicle record resellers etc For unknown vendors authentication records may include but are not limited to 1 onsite inspection results 2 evidence of right to conduct business such as copy of business license articles of incorporation state filing etc and authentication thereof 3 verification of working phone fax numbers website email 4 reference through a minimum o
64. to meet legal requirements regarding employer s procurement and use of consumer reports If CRA provides sample documents such documents shall also be provided 3 3 Truth in Advertising CRA shall communicate to clients the nature of the original CRA shall provide written policy procedure or other documentation source limitations variables affecting the information available describing how when clients are provided with information that and scope of information provided by each consumer reporting describes the composition of each consumer reporting product product offered by the CRA information source s used for each consumer reporting product factors affecting the information and any parameters or conditions applied by the CRA when reporting to client CRA shall provide copy of documents used to so inform clients If CRA provides actual consumer reports to demonstrate full and accurate consumer reporting product disclosure all personally identified information ehall ha radantad 3 4 Adverse Action CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA Potential Verification for Onsite Audit CRA shall present written procedure for informing client that they have legal responsibilities and recommending that client consult with Client s legal counsel CRA shall present documentation describing how when sample documents are provided and any sample documents which are provided or how when clients are informed of specific documents whi
65. ty program This person shall be able to describe and or provide documentation related to visitor security and access control If questioned CRA employees shall demonstrate knowledae of visitor securitv_nolicv CRA shall present written procedure for conducting a criminal records check every two years on all employees with access to consumer information CRA shall make available the person responsible for retaining these reports and auditor may ask CRA to demonstrate where how reports are retained as well as to see but not retain a copy of completed criminal records check report from one or more employees CRA shall present procedures which are in place to reasonably ensure the accuracy and quality of all work product CRA shall make available to auditor tools or systems used except actual personally identifiable information to reasonably ensure accuracy and quality in all work product If interviewed CRA employees responsible for work product shall demonstrate knowledge of accuracy and quality requirements describe methods used to ensure quality and accuracy shall be able to access current copy of documentation and shall identify person s responsible for providing on the job quality and annuranu laadarchin 3 11 2013 NAPBS CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA Attributes of and Suggestions for Onsite Audit What auditor should look for in policy procedure activity CRA may provide training to employees regarding confident
66. vailable the document s used to so inform clients the person responsible for retaining signed acknowledgments and auditor may ask to see but not retain a copy of signed acknowledgments from one or more clients If interviewed CRA employees shall demonstrate knowledge of client s requirement to follow adverse action processes be able to access current copy of documentation AND OR CRA employees shall identify person s to address such topics CRA shall present written procedure for informing client that CRA does not provide legal advice or act as client s legal counsel CRA shall make available the document s used to so inform clients the person responsible for retaining signed acknowledgments and auditor may ask to see but not retain a copy of signed acknowledgments from one or more clients If interviewed CRA employees shall demonstrate knowledge of CRA s position that legal counsel is not provided be able to access current copy of documentation AND OR CRA employees shall identify person s to address legal topics CRA shall present written procedure for informing client how to obtain and understand consumer reports from CRA CRA shall make available the documents or systems used to so inform clients If interviewed CRA employees shall demonstrate knowledge of how such education is provided be able to access current copy of documentation AND OR CRA employees shall identify person s to address such tonics 3 11 2013 NAPBS CRA ACC
67. y two years on all employees shall be conducted at least once every two years for the duration with access to consumer information when such criminal record of their employment Criminal offenses shall be evaluated to searches may be conducted without violating state or federal law determine initial or continued employment based upon their The documentation shall describe how results of these checks are access to consumer information and state and federal laws evaluated in relation to employee s access to consumer information state federal law and initial or continued employment 6 11 Quality Assurance CRA shall have procedures in place to reasonably ensure the CRA shall provide written policy procedure or other documentation accuracy and quality of all work product describing the methods used to reasonably ensure the accuracy and quality of all work product 6 12 Responsible Party CRA ACCREDITATION STANDARD WITH AUDIT CRITERIA Potential Verification for Onsite Audit CRA shall present written procedure for providing training to employees regarding confidentiality security and legal compliance practices of CRA CRA shall make available to auditor any materials used for such training If interviewed CRA employees shall describe trainina which was received CRA shall present written procedure for ensuring visitor security which prevents access to consumer information CRA shall make available theperson responsible for visitor securi
Download Pdf Manuals
Related Search